bcm legislations, regulations, standards and good … › uploads › assets › uploaded ›...

Page | i

BCM Legislations, Regulations, Standards

and Good Practice

February 2016

Page | i

INTRODUCTION

The BCI is regularly asked by members and other interested parties about current legislation,

regulation and standards that exist nationally and internationally for Business Continuity

Management.

It is difficult to provide a definitive list because there are regular changes and amendments at a

country level and often inconsistent terminology between countries, sectors and legislators.

The document that follows is the most comprehensive that it was possible to produce based upon

information provided to us by our members around the world. Where we have country input we have

included it alphabetically. At the start of the document we have listed current and projected international

initiatives, particularly those supported by the International Standards Organization (ISO), The European

Union (EU) and the Basel Committee on Banking Supervision.

Each entry is categorized into one of four headings:

LEGISLATIONS: Government laws which include aspects of Business Continuity Management by

name or are sufficiently similar in nature (Disaster Recovery, Emergency Response, Crisis

Management) to be treated as BCM legislation for this purpose. To be included in this category

they must be legally enforceable legislation passed by a national, federal, state or provincial

government depending upon the legal structure in each particular country.

REGULATIONS: Mandatory rules or audited guidance documents from official regulatory bodies in

sectors such as Financial Services, Telecommunications, Energy, Oil, Gas and Chemicals. Those which

could reasonably be construed as having some implications on an organization’s BCM provisions are

included. General help and guidance documents are included under Good Practice.

STANDARDS: Official standards from national (and international) accredited standards bodies which

relate to Business Continuity as a whole or to a specific related subset such as IT Service

Continuity. The list also includes standards for different but related topics (like Information

Security) when BCM is included only as a part requirement for compliance. “Standards” that are

issued by 3rd parties or professional groups will only be included if they are i s s u e d by an

accredited national standards body or accredited directly by a national accreditation service.

GOOD PRACTICE: Guidelines published as good (or best) practice by various authoritative bodies.

These documents may form part of a wider set of advice provided by a professional body of which

BCM is only a peripheral activity. Alternatively, they might be issued by a BCM professional body as

general guidance either locally or internationally. They will provide no mandated rules but will be

well used and accepted as credible advice by BCM professionals.

Countries for which we have no information available under any of the 4 headings will not be included. If

any reader has additional information to help us fill in these gaps, then please submit details to

[email protected] for future amendment of the document. We normally update this at the

beginning of each calendar year.

Page | ii

WARNING

The BCI has done its best to check the validity of these details but takes no responsibility for their

accuracy and currency at any particular time or in any particular circumstances.

Some of the listed items (particularly under legislation and regulation) are only indirectly related to

Business Continuity Management, and should not be interpreted as specifically designed for BCM.

However they will contain sections which can be useful to a BCM practitioner, and are consequently

included in this reference document.

It should also be noted that in some countries Regulatory Practices and/or ISO Standards might be

incorporated into national legislation, thus giving the document additional importance in those

specific countries.

BCI Editorial Team

Deborah Higgins MBCI

Head of Learning & Development

Patrick Alcantara DBCI

Senior Research Associate

Gianluca Riglietti

Research Assistant

Page | iii

LEGEND

The following colours are used against various entries to indicate which sectors are affected by the relevant guidance, rule or

regulation. We acknowledge the efforts of the Disaster Recovery Journal in coming up with these categories.

Ban

kin

g &

Fin

ance

Pu

blic

He

alth

& H

eal

thca

re

Tra

nsp

ort

atio

n &

Sh

ipp

ing

En

erg

y (i

ncl

ud

ing

nu

cle

ar)

Ind

ust

ry -

Ge

ne

ral

Ag

ricu

ltu

re, F

oo

d S

up

ply

&

Wat

er

Info

rmat

ion

Dis

trib

uti

on

&

Co

mm

un

icat

ion

s

Go

vern

me

nt

&

Pu

blic

Ag

en

cie

s

VERSION RECORD

File Reference

Date

Author / amend

Description

Status

0.1

October 09

Lyndon Bird

DRAFT

0.2 April 2010 Jan Gilbert Updated DRAFT

0.3 June 2010 Jan Gilbert Updated DRAFT

0.4 June 2010 Jan Gilbert FINAL DRAFT

0.5 August 2010 Jan Gilbert Updated FINAL DRAFT

0.6 January 2011 Lyndon Bird Updated ISSUE – V1

0.7 January 2012 Lyndon Bird Updated ISSUE – V2

0.8 March 2013 Jan Gilbert Updated ISSUE – V3

0.9 July 2013 Chris Green Updated DRAFT

Ian Clark Updated DRAFT

1.0 January 2014 Lyndon Bird Authorized ISSUE – V4

1.1 January 2015 Lyndon Bird Authorized ISSUE – V5

1.2 Febuary 2016 Patrick

Alcantara

Updated ISSUE – V6

Deborah

Higgins

Authorized

Page | iv

Contents INTRODUCTION ............................................................................................................................................................... i

WARNING ........................................................................................................................................................................ ii

LEGEND .......................................................................................................................................................................... iii

VERSION RECORD ........................................................................................................................................................... iii

INTERNATIONAL ............................................................................................................................................................. 1

ARGENTINA .................................................................................................................................................................. 16

AUSTRALIA.................................................................................................................................................................... 16

AUSTRIA ....................................................................................................................................................................... 21

BAHAMAS ..................................................................................................................................................................... 22

BARBADOS .................................................................................................................................................................... 24

BELGIUM....................................................................................................................................................................... 24

BRAZIL .......................................................................................................................................................................... 26

CANADA........................................................................................................................................................................ 28

CHINA ........................................................................................................................................................................... 30

DENMARK ..................................................................................................................................................................... 31

FRANCE ......................................................................................................................................................................... 31

GERMANY ..................................................................................................................................................................... 32

HONG KONG................................................................................................................................................................. 36

INDIA ............................................................................................................................................................................ 39

INDONESIA ................................................................................................................................................................... 41

ISRAEL........................................................................................................................................................................... 41

ITALY ............................................................................................................................................................................. 42

JAPAN ........................................................................................................................................................................... 46

KAZAKHSTAN ................................................................................................................................................................ 48

KENYA ........................................................................................................................................................................... 49

LATVIA .......................................................................................................................................................................... 49

MALAYSIA ..................................................................................................................................................................... 50

MALTA .......................................................................................................................................................................... 51

Page | v

NETHERLANDS.............................................................................................................................................................. 51

NEW ZEALAND ............................................................................................................................................................. 52

PAKISTAN ..................................................................................................................................................................... 54

PALESTINE .................................................................................................................................................................... 54

PERU ............................................................................................................................................................................. 55

PHILIPPINES .................................................................................................................................................................. 55

POLAND ........................................................................................................................................................................ 57

PORTUGAL .................................................................................................................................................................... 58

RUSSIA (Russian Federation) ........................................................................................................................................ 59

RWANDA ...................................................................................................................................................................... 60

SINGAPORE .................................................................................................................................................................. 61

SOUTH AFRICA ............................................................................................................................................................. 64

SOUTH KOREA (Republic of Korea) .............................................................................................................................. 66

SRI LANKA ..................................................................................................................................................................... 67

SWEDEN ....................................................................................................................................................................... 68

SWITZERLAND .............................................................................................................................................................. 74

THAILAND ..................................................................................................................................................................... 74

UAE ............................................................................................................................................................................... 75

UK ................................................................................................................................................................................. 76

USA ............................................................................................................................................................................... 84

Additional Resources ................................................................................................................................................. 108

Page | 1

INTERNATIONAL

TITLE AUTHORITY SUMMARY LINK

The European Programme for

Critical Infrastructure

Protection (EPCIP)

Legislation European Commission The European Programme for Critical

Infrastructure Protection (EPCIP) has been laid

out in EU Directives by the Commission (e.g. EU

COM (2006) 786 final). It has proposed a list of

European critical infrastructures (ECIs) based

upon inputs by its Member States. Reference

Memo-06-477_EN.

Each designated ECI will have to have an

Operator Security Plan (OSP) covering the

identification of important assets, a risk analysis

based on major threat scenarios and the

vulnerability of each asset, and the

identification, selection and prioritization of

counter-measures and procedures.

http://europa.eu/legislatio

n_summaries/justice_freed

om_security/fight_against_

terrorism/l33260_en.htm

Solvency II (2009/138/EC) Legislation European Commission Directive 2009/138/EC of the European

Parliament and of the Council of 25 November

2009 on the taking-up and pursuit of the business

of Insurance and Reinsurance (Solvency II).

http://eur-

lex.europa.eu/legal-

content/SV/TXT/HTML/?uri

=CELEX:32009L0138&from=

EN

http://europa.eu/legislation_summaries/justice_freedom_security/fight_against_terrorism/l33260_en.htm




http://eur-lex.europa.eu/legal-content/SV/TXT/HTML/?uri=CELEX:32009L0138&from=EN





Page | 2

High Level Principles for

Business Continuity

Regulation Basel Joint Forum:

Basel Committee on Banking

Supervision

International Organization of

Securities Commissions

(IOSCO)

International Association of

Insurance Supervisors

Published by Bank of

International Settlements,

Basel in August 2006

1. A comprehensive BCM process with

responsibility by the Board of Directors and

Senior Management.

2. Integration of risk of significant operational

disruptions into BCM.

3. Recovery objectives that take account of

their systemic relevance and the resulting

risk for the financial system.

4. Definition of internal and external

communication measures in the event of

major business interruptions.

5. Communication concepts must cover

communication with foreign supervisory

authorities.

6. Testing of BCP’s to evaluate their

effectiveness.

7. Institutions are subject to supervision as

part of the ongoing monitoring process.

http://ithandbook.ffiec.gov

/media/22111/ex_basel_hi

gh_princ_bc_a.pdf

Basel II: BASEL capital accord

(April 2003)

(Currently incorporated in the

International Convergence of

Capital Measurement and

Capital Standards: A Revised

Framework)

Regulation Basel Committee on Banking

Supervision

Addresses operational risk and defines it as

“the risk of loss resulting from inadequate or

failed internal processes, people & systems, or

from external events.”

http://www.bis.org/publ/b

cbs107.htm

http://ithandbook.ffiec.gov/media/22111/ex_basel_high_princ_bc_a.pdf



http://www.bis.org/publ/bcbs107.htm

http://www.bis.org/publ/bcbs107.htm

Page | 3

Basel III (Basel 3)

Regulation Basel Committee on Banking

Supervision

The term is now in common usage anticipating

the next revision to the Basel Accords. The Bank

for International Settlements (BIS) itself began

referring to this new international regulatory

framework for banks as "Basel III" in September

2010.

http://www.bis.org/publ/b

cbs201.pdf

ISO TC 292 Standard Technical Committee 292 of

the International Standards

Organization (ISO)

TC292 is responsible for a wide range of

standards under the general title of Security and

Resilience.

Work Group 2 concentrates on BCM and

Organizational Resilience.

http://www.iso.org/iso/hom

e/standards_development/li

st_of_iso_technical_commit

tees/iso_technical_committ

ee.htm?commid=295786

BS EN ISO 22300:2014 –

Societal Security -

Terminology

Standard International Standards

Organization (ISO)

Societal Security – Vocabulary for all 223 series

standards including direct BCM standards ISO

22301 and ISO 22313.

http://www.iso.org/iso/cat

alogue_detail.htm?csnumb

er=56199

BS EN ISO 22301:2014 –

Societal Security – Business

Continuity Management

Systems – Requirements


Organization (ISO)

Requirements to plan, establish, implement,

operate, monitor, review, maintain and

continually improve a documented management

system to protect against, reduce the likelihood

of occurrence, prepare for, respond to, and

recover from disruptive incidents when they

arise.


alogue_detail?csnumber=5

0038

http://www.bis.org/publ/bcbs201.pdf

http://www.bis.org/publ/bcbs201.pdf

http://www.iso.org/iso/home/standards_development/list_of_iso_technical_committees/iso_technical_committee.htm?commid=295786





http://www.iso.org/iso/catalogue_detail.htm?csnumber=56199



http://www.iso.org/iso/catalogue_detail?csnumber=50038



Page | 4

BS EN ISO 22311:2014 –

Societal Security – Video

Surveillance – Export

Interoperability


Organization (ISO)

Specifies a common output file format that can

be extracted from the video-surveillance

contents collection systems (stand-alone

machines or large scale systems) by an

exchangeable data storage media or through a

network to allow end-users to access digital

video-surveillance contents and perform their

necessary processing.

http://www.iso.org/iso/cata

logue_detail.htm?csnumber

=53467

ISO/TR 22312:2011 – Societal

Security – Technological

Capabilities


Organization (ISO)

An enumeration of different existing available

technologies which would be relevant to

standardize within the field of societal security.


logue_detail?csnumber=568

97

BS EN ISO 22313:2014 –



Systems – Guidance


Organization (ISO)

Guidance for establishing incident response and

continuity programs. This will support

implementation of ISO 22301.



0050

BS ISO 22315:2014 – Societal

Security – Mass Evacuation –

Guidelines for Planning


Organization (ISO)

Guidelines for mass evacuation planning in

terms of establishing, implementing, monitoring,

evaluating, reviewing, and improving

preparedness.



er=50052













Page | 5

PD ISO/TS 22317:2015 –



Systems – Guidelines for

Business Impact Analysis

(BIA)


Organization (ISO)

Guidance for establishing Business Impact

Analysis. This will support implementation of ISO

22301.

http://www.iso.org/iso/catal

ogue_detail.htm?csnumber=

50054

PD ISO/TS 22318:2015 –

Societal security. Business

continuity management

systems. Guidelines for

supply chain continuity+


Organization (ISO)

Guidance for establishing supply chain continuity

programs.

ISO 22320:2011 – Societal

Security – Emergency

Management –

Requirements for Incident

Response


Organization (ISO)

Minimum requirements for effective incident

response and provides the basics for command

and control, operational information,

coordination and cooperation within an incident

response organization.



47



Management – Guidelines for

Public Warning


Organization (ISO)

Provides guidelines for developing, managing,

and implementing public warning before, during,

and after incidents.



=53335



Management – Guidelines for

Colour-Coded Alert


Organization (ISO)

Guidelines for the use of colour codes to inform

people at risk as well as first response personnel

about danger and to express the severity of a

situation.



=50061













Page | 6


Security – Guidelines for

Establishing Partnering

Arrangements


Organization (ISO)

Provides guidelines for establishing partnering

arrangements among organizations to manage

multiple relationships for events impacting on

societal security. Incorporates principles and

describes the process for planning, developing,

implementing and reviewing partnering

arrangements.



=50293


Security – Guidelines for

Exercises


Organization (ISO)

Guidelines for an organization to plan, conduct,

and improve its exercise projects which may be

organized within an exercise programme. It is

intended for use by anyone with responsibility

for ensuring the competence of the

organization's personnel, particularly the

leadership of the organization, and those

responsible for managing exercise programmes

and exercise projects.

http://www.iso.org/iso/iso_

catalogue/catalogue_tc/cata


=50294

COBIT 5 – Control Objectives

for Information & Related

Technology 5 (September

2014)

Standard IT Governance Institute

Standards

Generally accepted information technology

control objectives. Domains include:

Principles, Policies and Frameworks

Processes

Organizational Structures

Culture, Ethics and Behaviour

Information

Services, Infrastructure and Applications

People, Skills and Competencies

http://www.isaca.org/cobit

/pages/default.aspx




http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50294




http://www.isaca.org/cobit/pages/default.aspx

http://www.isaca.org/cobit/pages/default.aspx

Page | 7

ITIL v.3 (international) – IT

Infrastructure Library

Standard IT Service Continuity

Management is part of the

“Service Design” book in ITIL

version 3.

Global standard in the area of service

management. ITIL® (IT Infrastructure Library®) is

the most widely accepted approach to IT service

management in the world. ITIL provides a

cohesive set of best practice, drawn from the

public and private sectors internationally.

Contains comprehensive publicly accessible

specialist documentation on the planning,

provision and support of IT services.

http://en.wikipedia.org/wik

i/Information_Technology_I

nfrastructure_Library

http://www.itil-

officialsite.com/

ISO 9000 Series – Quality

Management


Organization (ISO)

ISO 9000:2015, Basic Concepts and Language

ISO 9001:2015, Quality Management Systems

ISO 9002:2000, Quality Assurance

ISO 9004:2009, Managing for Sustained Success

ISO 19001:2011, Internal and External Audits

http://www.iso.org/iso/home

/standards/management-

standards/iso_9000/iso9001_

revision.htm

BS ISO/IEC 17021-1:2015

Standard ISO/IEC This Technical Specification complements the

existing requirements of ISO/IEC 17021:2011. It

includes specific competence requirements for

personnel involved in the certification process

for business continuity management systems

(BCMS).



er=64956

http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library



http://www.iso.org/iso/home/standards/management-standards/iso_9000/iso9001_revision.htm







Page | 8

BS ISO/IEC 27001:2013 –

Information Technology –

Security Techniques –

Information Security

Management Systems -

Requirements

Standard ISO/IEC Information Security Management system

requirements. Minor focus on:

Business continuity management process

Writing and implementing continuity plans

Business continuity planning framework

Business continuity and impact analysis

Testing and maintaining BCPs

BCM clauses are now overtaken by ISO 22301.

http://www.iso.org/iso/catal

ogue_detail?csnumber=5453

4

BS ISO/IEC 27002:2013 –


Security Techniques – Code of

Practice for Information

Security Controls

Standard ISO/IEC Guidelines for organizational information security

standards and information security management

practices including the selection, implementation

and management of controls taking into

consideration the organization's information

security risk environment(s).



33

BS ISO/IEC 27003:2010 –




Management System

Implementation Guidance

Standard ISO/IEC Critical aspects needed for successful design and

implementation of an Information Security

Management System (ISMS) in accordance with

ISO/IEC 27001:2013.



05










Page | 9

BS ISO/IEC 27004:2009 –




Management – Measurement

Standard ISO/IEC Guidance on the development and use of

measures and measurement in order to assess

the effectiveness of an implemented information

security management system (ISMS) and controls

or groups of controls, as specified in ISO/IEC

27001.



06

BS ISO/IEC 27035:2011 –



Information Security Incident

Management

Standard ISO/IEC Information Security Incident Management



79

BS ISO/IEC 27036-1:2014 –


Security Techniques -

Information Security for

Supplier Relationships –

Overview and Concepts

Standard ISO/IEC Provides an overview of the guidance intended

to assist organizations in securing their

information and information systems within the

context of supplier relationships. It also

introduces concepts that are described in detail

in the other parts of ISO/IEC 27036. ISO/IEC

27036-1:2014 addresses perspectives of both

acquirers and suppliers.



=59648

BS ISO/IEC 27036-2:2014 –




Supplier Relationships -

Requirements

Standard ISO/IEC Specifies fundamental information security

requirements for defining, implementing,

operating, monitoring, reviewing, maintaining

and improving supplier and acquirer

relationships.



=59648













Page | 10

BS ISO/IEC 27036-3:2013 –




Supplier Relationships – Part

3: Guidance for Information

and Communication

Technology Supply Chain

Security

Standard ISO/IEC Provides product and service acquirers and

suppliers in the information and communication

technology (ICT) supply chain.

http://www.iso.org/iso/iso_

catalogue/catalogue_tc/cata


=59688

ISO/IEC 27301:2011 –



Guidelines for Information

and Technology Readiness for

Business Continuity

Standard ISO/IEC (International Electro-

technical Commission)

ISO/IEC 27031:2011 describes the concepts and

principles of information and communication

technology (ICT) readiness for business

continuity, and provides a framework of

methods and processes to identify and specify

all aspects (such as performance criteria, design,

and implementation) for improving an

organization's ICT readiness to ensure business

continuity.

http://www.iso.org/iso/ho

me/store/catalogue_tc/cat


er=44374

ISO 31000:2009 Risk

Management Standard

Standard ISO ISO 31000 provides high level principles and

generic guidelines for Risk Management.



3170


i/ISO_31000

ISO Guide 73:2009 – Risk

Management – Vocabulary

Standard ISO Definitions of generic terms related to risk

management.



4651





http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=44374







http://en.wikipedia.org/wiki/ISO_31000

http://en.wikipedia.org/wiki/ISO_31000




Page | 11

ISO/IEC 20000-1:2011 –


Service Management – Part 1:

Service Management System

Requirements

Standard ISO/IEC IT Service Management.



1986

IEC 61508:2010 - Functional

Safety of Electrical, Electronic

and Programmable Electronic

Safety Related Systems

Standard IEC It outlines the management requirements in

part 1. The other 6 parts deal with hardware,

software, documentation, explanatory notes and

risk management. In essence, part 1 deals with

the management requirement to manage the

overall risks of process automation software

development not just software and hardware, so

it is all encompassing.

http://www.iec.ch/function

alsafety/

IEC 60300 – Dependability Standard IEC This standard deals with the availability,

reliability, serviceability and maintainability of

process automation software systems. This is

part of a family of standards on dependability, a

link to the full list is found here.

http://www.iec.ch/about/b

rochures/pdf/technology/d

ependablility.pdf

IEC 61804 – Digital

Communication

Standard IEC Function blocks (FB) for process control.

Overview of system aspects.

http://webstore.iec.ch/prev

iew/info_iec61804-

2%7Bed2.0%7Den.pdf




http://www.iec.ch/functionalsafety/

http://www.iec.ch/functionalsafety/

http://www.iec.ch/about/brochures/pdf/technology/dependablility.pdf



http://webstore.iec.ch/preview/info_iec61804-2%7Bed2.0%7Den.pdf



Page | 12

BCI Good Practice Guidelines

2013 Global Edition

Good Practice BCI (Business Continuity

Institute)

Global best practice based upon the 6

professional practices defined in the BCM

Lifecycle. The GPG 2013 is intended for use by

practitioners, consultants, auditors and

regulators with a working knowledge of the

rationale for BCM and its basic principles. The

Guide is now available in English (UK and US),

French, Spanish, Italian, Arabic, Mandarin,

Japanese, Greek, Romanian, Portuguese and

Russian.

http://www.thebci.org/inde

x.php/resources/the-good-

practice-guidelines

Generally Accepted Principles

(GAP) for Business

Continuity.

Good Practice DRJ (Disaster Recovery Journal)

Editorial Advisory Board

Professional practice including developing

business continuity management strategies and

other contingency planning measures.

http://www.drj.com/GAP/ga

p.pdf

DRI International : “Ten

Professional Practices for

Business Continuity

Professionals”

Good Practice DRII (Disaster Recovery

Institute International)

Professional practice guidance for developing

business continuity management strategies and

other contingency plans.

https://www.drii.org/certific

ation/professionalprac.php

ISACA Doc G32 Good Practice ISACA Audit guidance for assessing BC plans from the

perspective of IT audit and control standards.

http://www.thebci.org/index.php/resources/the-good-practice-guidelines



http://www.drj.com/GAP/gap.pdf

http://www.drj.com/GAP/gap.pdf

https://www.drii.org/certification/professionalprac.php

https://www.drii.org/certification/professionalprac.php

Page | 13

Business Continuity Planning

Committee Best Practice

Guidelines (April 2011)

Good Practice ISIA (International Securities

Industry Association)

Presents guidelines that can assist in the

establishment of a comprehensive business

continuity program. It is not intended to be an

outline of a business continuity plan or as a

single best approach, but rather it should be

viewed as a summary of significant components

that an organization may wish to consider when

developing a full business continuity program.

http://www.sifma.org/uplo

adedfiles/services/bcp/sifm

a-bc-practices-

guidelines2011-04.pdf

COSO Enterprise Risk

Management Framework

(Sept 2004)

Good Practice COSO (Committee of

Sponsoring Organizations of

the Treadway Commission)

Defines essential enterprise risk management

components, discusses key ERM principles and

concepts, suggests a common ERM language

and provides clear direction & guidance for

enterprise risk management.

http://www.coso.org/guida

nce.htm

Statement on Auditing

Standards (SAS) No. 70,

Service Organizations

Good Practice American Institute of Certified

Public Accountants (AICPA).

A service auditor's examination performed in

accordance with SAS No. 70 ("SAS 70 Audit") is

widely recognized, because it represents that a

service organization has been through an in-

depth audit of their control objectives and

control activities, which often include controls

over information technology and related

processes. Service organizations receive

significant value from having a SAS 70

engagement performed.

http://www.sas70.com/

http://www.sifma.org/uploadedfiles/services/bcp/sifma-bc-practices-guidelines2011-04.pdf




http://www.coso.org/guidance.htm

http://www.coso.org/guidance.htm

http://www.sas70.com/

Page | 14

EBA Guidelines on Internal

Governance (GL 44)

Good Practice European Banking Authority

(EBA)

EBA’s guidelines aim to strengthen internal

governance and control at credit institutions and

securities institutions. EBA has focused, for

example, on tightening requirements regarding

corporate structure; the supervisory authority’s

role, duties and responsibilities; information and

IT systems; continuity planning; and heightened

transparency requirements.

https://www.eba.europa.e

u/regulation-and-

policy/internal-

governance/guidelines-on-

internal-governance

http://lgl.kn/b527a

https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-internal-governance





Page | 15

ALBANIA


Regulation on Operational

Risk Management

Regulation Bank of Albania (BoA) Sets out the requirements and rules for the

operational risk management in the banking

and/or financial industries. In force from 24

February 2011.

http://www.bankofalbania.

org/web/Regulation_On_th

e_operational_risk_manag

ment_6063_2.php?kc=0,28,

0,0,0

Law on Electronic

Communications

Legislation Authority of Electronic and

Postal Communications

(AEPC)

Lays down the principles of the competition and

the efficient infrastructure on electronic

communications aiming to ensure necessary and

appropriate services in Albania. In force from 25

June 2008.

Chapter XII “Electronic Communications in

Special Cases”.

http://www.akep.al/inform

acion/legjislacioni/ligji-

kom-elek-ligji-sherb-postar

National Civil

Emergency Plan (NCEP)

Guideline Council of Ministers

Serves as a comprehensive practical guide and

covers in detail all stages of the disaster cycle,

including the prevention, mitigation and

preparedness phases. In force from 03

December 2004

http://www.mbrojtjacivile.

al/wp-

content/uploads/2013/09/

National-Civil-Emergency-

Plan-of-Albania-2004.pdf

http://www.bankofalbania.org/web/Regulation_On_the_operational_risk_managment_6063_2.php?kc=0,28,0,0,0





http://www.akep.al/informacion/legjislacioni/ligji-kom-elek-ligji-sherb-postar



http://www.mbrojtjacivile.al/wp-content/uploads/2013/09/National-Civil-Emergency-Plan-of-Albania-2004.pdf





Page | 16

ARGENTINA


Requisitos mínimos de

gestión, implementación y

control de los riesgos

relacionados con tecnología

informática y sistemas de

información – Communication

A4609

Regulation Central Bank of Argentina Standard about " Minimum Management

Requirements, Implementation and Control

Related Information Technology, Information

Systems and associated facilities for financial

institutions'

http://www.bcra.gov.ar/pd

fs/texord/texord_viejos/v-

rmsist_12-12-11.pdf


2013 (Spanish)

Good Practice BCI Global best practice based upon the 6


Lifecycle. The GPG 2013 are therefore intended

for use by practitioners, consultants, auditors

and regulators with a working knowledge of the

rationale for BCM and its basic principles.

http://www.thebci.org/ind

ex.php/resources/the-

good-practice-guidelines

AUSTRALIA


Protective Security

Framework – June 2010

Approved June 2010

Amended July 2015

Legislation Australian Government

Attorney General’s Department

(AGD)

Applies to all Australian Government Agencies

and mandates BCM for all agencies.

https://www.protectivesec

urity.gov.au/ExecutiveGuid

ance/Documents/Protectiv

eSecurityPolicyFrameworkS

ecuringGovernmentBusines

s.pdf

APRA Prudential Standard

CPS 232 Business Continuity

Management

Regulation Australian Prudential

Regulation Authority (APRA)

APRA regulation for BCM used by ADIs, General

Insurance and Life Insurance

http://www.apra.gov.au/Cr

ossIndustry/Documents/Pr

udential%20Standard%20C

http://www.bcra.gov.ar/pdfs/texord/texord_viejos/v-rmsist_12-12-11.pdf






https://www.protectivesecurity.gov.au/ExecutiveGuidance/Documents/ProtectiveSecurityPolicyFrameworkSecuringGovernmentBusiness.pdf






http://www.apra.gov.au/CrossIndustry/Documents/Prudential%20Standard%20CPS%20232%20Business%20Continuity%20Management.pdf



Page | 17

January 2015

PS%20232%20Business%20

Continuity%20Management

.pdf


CPS 220 Risk Management

January 2015



APRA Risk Management Regulation


ossIndustry/Documents/Fin

al-Prudential-Standard-CPS-

220-Risk-Management-

(January-2014).pdf


CPS 231 Outsourcing

January 2015



Outsourcing, regulation for BCM used by ADIs,

General Insurance and Life Insurance.



udential%20Standard%20C

PS%20231%20Outsourcing.

pdf


SPS 232 Business Continuity

Management

November 2012



Applies to all Registrable Superannuation Entity

(RSE) licensees

http://www.apra.gov.au/Su

per/PrudentialFramework/

Documents/Final-SPS-232-

BCM-November-2012.pdf

APRA Prudential Practice

Guide

SPG 200 Risk Management

August 2010

Good Practice Australian Prudential


The purpose of this Prudential Practice Guide

(PPG) is to assist Registrable Superannuation

Entity (RSE) licensees and their directors in

complying with provisions relating to risk

management frameworks and, more generally, to

outline sound practices in relation to this

particular area of a licensee’s superannuation

operations.

http://www.apra.gov.au/Su

per/PrudentialFramework/

Documents/SPG-200-Risk-

Management.pdf

APRA Prudential Practice Good Practice Australian Prudential This PPG aims to assist regulated institutions in http://www.apra.gov.au/CrossI




http://www.apra.gov.au/CrossIndustry/Documents/Final-Prudential-Standard-CPS-220-Risk-Management-(January-2014).pdf





http://www.apra.gov.au/CrossIndustry/Documents/Prudential%20Standard%20CPS%20231%20Outsourcing.pdf





http://www.apra.gov.au/Super/PrudentialFramework/Documents/Final-SPS-232-BCM-November-2012.pdf




http://www.apra.gov.au/Super/PrudentialFramework/Documents/SPG-200-Risk-Management.pdf




http://www.apra.gov.au/CrossIndustry/Documents/Prudential-Practice-Guide-CPG-233-Pandemic-Planning-May-2013.pdf

Page | 18

Guide

CPG 233 Pandemic Planning

May 2013

Regulation Authority (APRA) considering and prudently managing the risks

posed by a potential influenza pandemic, or any

other widespread outbreak of contagious disease

that could affect their operations

ndustry/Documents/Prudential

-Practice-Guide-CPG-233-

Pandemic-Planning-May-

2013.pdf


Guide ‐

CPG 234 – Management of

security risk in information

and information technology

May 2013



This PPG aims to assist regulated institutions in

the management of security risk in information

and information technology (IT) .



udential-Practice-Guide-

CPG-234-Management-of-

Security-Risk-May-2013.pdf


Guide

CPG 235 Managing Data Risk.

September 2013



This PPG aims to assist regulated entities in

managing data risk.



udential-Practice-Guide-

CPG-235-Managing-Data-

Risk.pdf

APRA Prudential Standard CPS

510. Governance

January 2015



APRA Regulation on Good Governance used by

ADIs, General Insurance and Life Insurance.


ossIndustry/Documents/Fin

al-Prudential-Standard-CPS-

510-Governance-(January-

2014).pdf

Australian Financial Markets

Association (AFMA) Code of

Conduct Guidelines

Good Practice Australia Financial Markets

Association

These Guidelines are intended to assist AFMA

Members in their understanding and application

of the AFMA Code of Conduct and the Ethical

Principles. See section 1, for their guideline on

"Business Continuity Plan (BCP) and Disaster

Recovery Plan (DRP) Testing"

http://www.afma.com.au/a

fmawr/_assets/main/LIB90

010/Code%20of%20Conduc

t%20-%20GUIDELINES.pdf





http://www.apra.gov.au/CrossIndustry/Documents/Prudential-Practice-Guide-CPG-234-Management-of-Security-Risk-May-2013.pdf





http://www.apra.gov.au/CrossIndustry/Documents/Prudential-Practice-Guide-CPG-235-Managing-Data-Risk.pdf





http://www.apra.gov.au/CrossIndustry/Documents/Final-Prudential-Standard-CPS-510-Governance-(January-2014).pdf





http://www.afma.com.au/afmawr/_assets/main/LIB90010/Code%20of%20Conduct%20-%20GUIDELINES.pdf




Page | 19

AS/NZS 5050:2010 Business

continuity ‐ Managing

disruption‐related risk

Standard Standards Australia Provides a generic guide for Business continuity -

Managing disruption-related risk. It may be

applied to a wide range of activities or

operations of any public, private or community

enterprise, or group.

http://infostore.saiglobal.c

om/store/details.aspx?Prod

uctID=1409610

AS 3745-2010/Amdt 1-

2014Planning for emergencies

in facilities

AS 3745-2010/Amdt 1-2014

Standard Standards Australia Planning for emergencies in facilities


om/EMEA/Details.aspx?Pro

ductID=1724114

Business Continuity

Management Handbook

HB 221:2004

Good Practice Standards Australia Information security risk management guidelines



ductID=568847

A Practitioner’s Guide to

Business Continuity

Management

HB 292-2006

Good Practice Standards Australia This Guide provides an overview of selected

‘generally accepted practices’ and emerging

new practices used variously within Australasia,

USA and UK. BCM practice is such that

approaches that work well in one organization

may be wholly inappropriate for a different

organization. Extreme care therefore needs to

be taken in deciding what and how aspects of

BCM will be implemented within an

organization.



ductID=568883

http://infostore.saiglobal.com/store/details.aspx?ProductID=1409610



http://infostore.saiglobal.com/EMEA/Details.aspx?ProductID=1724114









Page | 20

Executive guide to business


HB 293:2006

Good Practice Standards Australia Provides senior management with an overview of

the key concepts and processes that are required

to implement and maintain an integrated, robust

business continuity management program.



ductID=568884

Australia: Financial Safety Net

and Crisis Management

Framework

Report International Monetary Fund

(IMF)

IMF report on crisis management in the financial

sector

http://www.apra.gov.au/A

boutAPRA/Publications/Doc

uments/Financial%20Safety

%20Net%20and%20Crisis%

20Management%20Frame

work%20%E2%80%93%20T

echnical%20Note%20%E2%

80%93%20November%202

012.pdf

Business Continuity

Management, Building

Resilience in Public Sector

Entities

(Updates planned 2016)

Good Practice Australian National Audit Office

(ANAO)

Produced following consultation with

Australian Government and private sector

entities. It is ‘presented in a more user-friendly

format, and includes contemporary practical

advice, case studies and references as well as

exploring issues within the business continuity

environment that have arisen since the

previous ANAO publication’.

ANAO states that business continuity

management is an essential component of

good public sector governance and is part of an

entity’s overall approach to effective risk

management. It says that the guide will be a

useful reference document for boards, chief

executives and senior management in public

http://www.anao.gov.au/u

ploads/documents/Busines

s_Continuity_Management

_.pdf




http://www.apra.gov.au/AboutAPRA/Publications/Documents/Financial%20Safety%20Net%20and%20Crisis%20Management%20Framework%20%E2%80%93%20Technical%20Note%20%E2%80%93%20November%202012.pdf









http://www.anao.gov.au/uploads/documents/Business_Continuity_Management_.pdf




Page | 21

sector entities.

AIIMS 2004 ‐ Australian

Inter‐service Incident

Management System

Good Practice The Australasian Inter-Service

Incident Management System

(AIIMS)

The nationally recognised system of incident

management for the nation's fire and emergency

service agencies organizational principles and

structure used to manage bushfires and other

large emergencies (e.g. floods, storms, cyclones

etc.

Australian Emergency Manual

Series (several volumes)

2013

Good Practice Emergency Management

Australia

Providing guiding principles and practices and

skills references in emergency management can

assist agencies in creating emergency

management plans, programs and activities that

are consistent with existing programs and policies.

https://www.emknowledge

.gov.au/

AUSTRIA


ONR 49000 Standard Austria National Standards German language – Risk Management

Definitions.

https://www.emknowledge.gov.au/

https://www.emknowledge.gov.au/

Page | 22

ONR 49001 Standard Austria National Standards German language – Risk Management.

ONR 49002‐1 Standard Austria National Standards German language – Risk Management Guidelines.

ONR 49002‐2 Standard Austria National Standards German language – Risk Management Methods.

ONR 49002‐3 Standard Austria National Standards German language – Crisis Management & BCM.

ONR 49003:2008 Standard Austria National Standards Qualification Requirements for Crisis Managers.


2013 (German)










BAHAMAS





Page | 23

Disaster Preparedness and

Response Act 2006

Emergency Relief Guarantee

Fund Act 1999

Legislation National Emergency

Management Agency (NEMA)

NEMA is the government agency of the

Commonwealth of The Bahamas. It is

responsible for all disaster planning and related

legislation and guidance, particularly related to

hurricanes.

http://faolex.fao.org/docs/

pdf/bha112237.pdf

PU19‐0406 ‐ Supervisory and

Regulatory Guidelines –

Business Continuity 1st May

2007

Regulation The Central Bank of the

Bahamas

The directives apply to all commercial banks

(domestic or foreign) operating in all territories

of the Bahamas. They are based upon the Basel

Committee’s Joint Forum “High Level Principles.”

BCM Standards Standard The Bahamas tend to use North

American standards rather

than British or ISO equivalents

A number of banks are Canadian owned and

their BCM policy is influenced by the Canadian

standard CAN/CSA‐Z 731‐03.

Guidelines provided by NEMA

(printed and downloadable

from NEMA website)

Good Practice NEMA Family Disaster Plan / Disaster Supplies Kit /

Shelter Information / Mobility Checklists / Pets

in Disasters.

http://faolex.fao.org/docs/pdf/bha112237.pdf

http://faolex.fao.org/docs/pdf/bha112237.pdf

Page | 24

BARBADOS


Operational Risk Guidelines,

June 2007

Emergency Relief Guarantee

Fund Act 1999

Regulation The Central Bank of Barbados The guidelines apply to all commercial banks

operating in Barbados. They are based upon the

Basel Committee’s Joint Forum “High Level

Principles.”

BELGIUM


Additional prudential expectations regarding operational business continuity and security of systemically important financial institutions

Regulation Belgium National Bank

Expectations of the National Bank of Belgium (NBB) regarding operational business continuity and security for financial institutions.

https://www.nbb.be/doc/cp/eng/sfi/20151218_nbb_2015_32.pdf

Page | 25

Circular PPB-2006-1-CPA Regulation Belgium National Bank Sound management practices in outsourcing for insurance companies.

https://www.nbb.be/doc/cp/fr/vo/circ/pdf/ppb_2006_1_cpa_circular.pdf

Press Release Regulation Belgium National Bank Recommendations of the Financial Stability Committee on business continuity planning

https://www.nbb.be/doc/ts/enterprise/press/2004/n/cpcfs041020nl.pdf

Circular PPB 2004/5 Regulation Belgium National Bank sound management practices in outsourcing by credit institutions and investment firms

https://www.nbb.be/doc/cp/fr/ki/circ/pdf/ppb_2004_5_circular.pdf

Page | 26

Circular PPB/D.256 Regulation Belgium National Bank Circular regarding sound management practices to ensure business continuity financial institutions

https://www.nbb.be/doc/cp/fr/vo/circ/pdf/ppb_d_256.pdf

BRAZIL


NBR15999‐1: Gestão de

continuidade de negócios ‐

Parte 1: Código de prática

Regulation ABNT (Associação Brasileira

de Normas Técnicas)

Brazilian Portuguese straight translation of the

English standard BS 25999‐1 Business continuity

management. Code of practice.

Page | 27

NBR15999‐2: Gestão de

continuidade de negócios ‐

Parte 2: Requisitos




English standard BS 25999‐2. Specification for

business continuity management.

NBR ISO/IEC24762:

Tecnologia da informação

Técnicas de segurança ‐

Diretrizes para os serviços

de recuperação após um

desastre na tecnologia da

informação e de

comunicação




ISO standard 24762 ‐ Information technology ‐‐

Security techniques ‐‐ Guidelines for information

and communications technology disaster

recovery services.

NC nº06/IN01/DSIC/GSIPR –

Gestão De Continuidade de

Negócios

Standard Institutional Security Cabinet

– Information Security and

Communication Department

Establishing guidelines for BCM, in the bodies

and entities of Federal Public Administration.


2013 (Portuguese)













Page | 28

CANADA


Emergency Management &

Civil Protection Act 1990

Chapter E.9

Legislation Canadian Government Defines the legal framework and powers

available for dealing with a national emergency.

Emergency Management &

Civil Protection Act – Ontario

Regulation

Legislation Ontario Regional Government A bilingual regulation, detailing ministerial

responsibilities and how Continuity of

Operations Plans will operate.

IDA By‐Law 17.19 – Business

Continuity Plan Requirement

Regulation OSC (Ontario Securities

Commission)

The purpose of the proposed by‐law is to

require each IDA member to establish and

maintain a business continuity plan, such that

the member can stay in business in the event of

a significant business disruption and can meet

obligations to its customers and other capital

markets counterparts.

http://www.osc.gov.on.ca/M

arketRegulation/SRO/ida/rr/s

rr-ida_20050107_not-pro-

bylaw-17-19.pdf

Letter March 2006 Regulation Letter to Federally Regulated Financial

Institutions and Insurance Companies in March

2006.

http://www.osc.gov.on.ca/MarketRegulation/SRO/ida/rr/srr-ida_20050107_not-pro-bylaw-17-19.pdf




Page | 29

CAN/CSA‐Z 731‐03 Standard CSA (Canadian Standards

Association)

Canada’s emergency preparedness and response

standards.

http://www.techstreet.com

/standards/CAN_CSA/Z731

_03?product_id=1270242

CSA Z1600‐08

Standard CSA (Canadian Standards

Association)

Canadian standard for integrating business

continuity and emergency management

programmes, based on NFPA 1600.

Information Technology

Control Guidelines

Good Practice Canadian Institute of Chartered

Accountants

Crisis Management for Directors.

http://www.cica.ca/applyin

g-the-standards/canadian-

standards-on-quality-

control/index.aspx

Government of Saskatchewan

Business Continuity Guide

Good Practice Government of Saskatchewan Business Continuity Guidelines.

http://www.techstreet.com/standards/CAN_CSA/Z731_03?product_id=1270242



http://www.cica.ca/applying-the-standards/canadian-standards-on-quality-control/index.aspx




Page | 30

CHINA


Guidelines on Financial

Innovation of Commercial

Banks, Article 23

Regulation China Banking Regulatory

Commission

Law of the People’s Republic

of China on Banking

Regulation and Supervision,

Article 29


Commission

Provisional Administrative

Rules governing derivatives

activities of financial

institutions, Articles 10 & 16


Commission

Use of ISO, ANSI or BS

standards in use by

international firms based in

China.

Standard


2013 (Mandarin)













Page | 31

DENMARK


DS 3001:2009 Organisatorisk

Robusthed

Standard Dansk Standard This standard is an exact translation of ASIS

Standard SPC.1‐2009 – Organizational

Resilience.

FRANCE


CRBF Regulation 97‐02

(Amended by Regulation

2004-02)

Regulation EU references International control for credit institutions.

http://www.banque‐

france.fr


2013 (French)










http://www.banque/




Page | 32

GERMANY


MaRisk (for banks) Regulation Bundesanstalt für

Finanzdienstleistungsaufsicht

(Federal Office of Financial

Service Regulations)

National version of the rules of Basel II, includes

a passage on contingency planning.

MaRisk VA (for insurance

companies)

Regulation Bundesanstalt für

Finanzdienstleistungsaufsicht

(Federal Office of Financial

Service Regulations)

National version of the rules of Solvency II,

includes a passage on contingency planning.

IT Baseline Protection Manual Good Practice Federal Government IT Grundschutzhandbuch – English & German

versions available.

Pandemic Planning Handbook:

2007

Good Practice Federal Government Handbuch Pandemieplanung – only German

version.

BSI 100‐4 Good Practice Federal Office for Information

Security

Business Continuity Management – Versions in

German and English.

Page | 33

Protecting Critical

Infrastructures – Risk and

Crisis Management

Good Practice Federal Ministry of the Interior A guide for companies and government

authorities.

www.bmi.bund.de


2013 (German)













Page | 34

GREECE


Framework of Operational

Principles and Criteria for the

Evaluation of the Organization

and Internal Control Systems

of Credit and Financial

Institutions and Relevant

Powers of their Management

bodies

Regulation Bank of Greece Framework of operational principles and criteria

for the evaluation of the organization and

Internal Control Systems of credit and financial

institutions and relevant powers of their

management bodies.

In force from: 09 March 2006

Annex 2 Operational Risk management principles

for information systems in financial institutions,

Section C4: Business continuity and disaster

recovery plans

http://www.bankofgreece.

gr/BogDocumentEn/GA.BG

_2577-

9.03.2006_Annex_2_Opera

tional_Risk_management_p

rinciples_for_information_s

ystems_in_financial_institu

tions.pdf

Secrecy Assurance

Regulations for

Telecommunication Services

Regulation Hellenic Authority for

Communication Security and

Privacy

Regulatory framework for Organizations

providing telecom services to retail or corporate

clients. An internal control framework is defined

for certain aspects of IT operations for the IT

systems supporting telecom operations.

Article 4: Business Impact Analysis

Article 5: Risk Analysis

Article 6: Business Continuity

Article 10: Contingency

http://www.adae.gr/fileadm

in/docs/nomoi/kanonismoi/

Kanonismos_FEK_1742_B_1

5_07_2013_asfaleia_akeraio

tita__ADAE_205_2013.pdf

http://www.adae.gr/fileadmin/docs/nomoi/kanonismoi/Kanonismos_FEK_1742_B_15_07_2013_asfaleia_akeraiotita__ADAE_205_2013.pdf





Page | 35


2013 (Greek)













Page | 36

HONG KONG


Personal Data (Privacy)

Ordinance

Legislation Office of the Privacy

Commissioner for Personal

Data – the Government of the

Hong Kong Special

Administrative Region

The purpose of the Ordinance is to protect the

privacy interests of living individuals in relation

to personal data. It also contributes to Hong

Kong’s continued economic well-being by

safeguarding the free flow of personal data.

http://www.pco.org.hk/eng

lish/ordinance/ordglance.ht

ml

Business continuity planning

supervisory policy manual –

TM‐G‐2

Regulation The Hong Kong Monetary

Authority

Sets out the HKMA’s latest supervisory policies

and practices, the minimum standards

authorised institutions (AI’s) are expected to

attain in order to satisfy the requirements of the

Banking ordinance and recommendations on

best practices.

http://www.hkma.gov.hk/

media/eng/doc/key-

functions/banking-

stability/supervisory-policy-

manual/TM-G-2.pdf

Circular to licensed

corporations – “Business

continuity planning against

serious communicable

diseases”

Regulation Securities and Futures

Commission of Hong Kong

Circular to remind licensed persons to take

precautions against a re‐occurrence of SARS or

other serious communicable diseases.

http://www.sfc.hk/web/EN

/published-

resources/business-

continuity/

HKMA Supervisory Policy

Manual, BCP TM‐G‐2, V1,

02.12.02


Authority

Enforced by onsite examinations, requires need

for BCP documentation and testing at least

annually, planning for different scenarios and

prolonged outages.

http://www.pco.org.hk/english/ordinance/ordglance.html



http://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-G-2.pdf





http://www.sfc.hk/web/EN/published-resources/business-continuity/




Page | 37


Manual, General Principles

for Technology Risk

Management TM‐G‐1, V.1,

24.06.03


Authority

Refers to TM‐G‐2 on BCP on the need to

provide continuous and /or alternative services.

To provide authorised institutions (AIs) with

guidance on general principles which AIs are

expected to consider in managing technology-

related risks. Section 3.1.4 discusses "adequate

off-site back-up and contingency arrangements".

In section 2.6, policies, procedures or service

agreements of between AIs and the overseas

offices (e.g. parent banks, subsidiaries, head

offices or other regional offices of the same

banking group) with regard to certain IT controls

or support activities. Section 7.1.1 includes

"should develop a contingency plan for critical

outsourced technology services to protect them

from unavailability of services due to

unexpected problems of the technology service

provider."


media/eng/doc/key-

information/guidelines-

and-circular/2003/tm-g-

1.pdf


Manual, Supervision of E‐

Banking TM‐E‐1, V.1, 17.02.04


Authority

Refers to TM‐G‐2 on BCP on the need to

provide continuous and /or alternative services.


media/eng/doc/key-

functions/banking-

stability/supervisory-policy-

manual/TM-E-1.pdf

http://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2003/tm-g-1.pdf





http://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-E-1.pdf





Page | 38

IT Security Guidelines – G3 Regulation Information Technology

Services Dept. – The

Government of the Hong Kong

Special Administrative Region

Introduces general concepts relating to IT

Security and elaborates interpretations on the

Baseline IT Security policy. It also provides some

guidelines and considerations in defining

security requirements.

http://www.ogcio.gov.hk/e

n/infrastructure/methodolo

gy/security_policy/

Management, Supervision

and Internal Control

Guidelines (“the Internal

Control Guidelines”)

Regulation Securities and Futures

Commission of Hong Kong

A licensed or registered person should have

internal control procedures and financial and

operational capabilities which can be reasonably

expected to protect its operations, its clients

and other licensed or registered persons from

financial loss arising.

http://en-

rules.sfc.hk/en/display/disp

lay_main.html?rbid=3527&

element_id=162

No specific standards for

Hong Kong or Macau. Use of

ISO, ANSI or BS standards is

common by international

firms

Standard

Guidance Note on the Use of

internet for Insurance

activities (GN8)

Good Practice Office of the Commissioner of

Insurance – The Government

of the Hong Kong special

Administrative region

To better protect the insuring public and

ensuring the healthy development of the

industry in the information technology era.

http://www.oci.gov.hk/dow

nload/gn8-eng.pdf

http://www.ogcio.gov.hk/en/infrastructure/methodology/security_policy/



http://en-rules.sfc.hk/en/display/display_main.html?rbid=3527&element_id=162




http://www.oci.gov.hk/download/gn8-eng.pdf

http://www.oci.gov.hk/download/gn8-eng.pdf

Page | 39


2013 (Mandarin)

Good Practice BCI Versions in both English and Mandarin. Global

best practice based upon the 6 professional

practices defined in the BCM Lifecycle. The

GPG 2013 are therefore intended for use by

practitioners, consultants, auditors and

regulators with a working knowledge of the




practice-guidelines

INDIA


Reserve Bank of India

Circulars

Regulation 1. Reserve Bank of India (RBI)

2. Securities & Exchange

Board of India (SEBI)

3. National Stock Exchange

(NSE)

4. Bombay Stock Exchange

(BSE)

RBI/2009-10/108 - National Electronic Funds

Transfer (NEFT) System – Business Continuity

Plan.

RBI/2008-09/495 - IT based systems – Business

Continuity and DR Operations.

RBI/2004-05/420 - Operational Risk

Management - Business Continuity Planning.

http://www.rbi.org.in/scrip

ts/BS_EntireSearch.aspx?se

archString=business%20con

tinuity&strSection=Notificat

ions




http://www.rbi.org.in/scripts/BS_EntireSearch.aspx?searchString=business%20continuity&strSection=Notifications





Page | 40

Insurance Companies Regulation Insurance Regulatory and

Development Authority of

Goverment of India (IRDA)

Guidelines for the insurance companies to

have robust BCM arrangements.

Page | 41

INDONESIA


Regulation No 9/15/PBI/2007 Regulation Bank Indonesia (Central Bank) Implementation of Risk Management in the use

of information technology by commercial banks.

Regulation no. 6/8/PBI/2004 Regulation Bank Indonesia (Central Bank) The Bank Indonesia real time gross settlement

system (unofficial translation).

Circular Letter No. 9/30/DPNP

- Risk Management in the Use

of Information Technology by

Commercial Banks (March

31st, 2008)

Regulation Bank Indonesia (Central Bank) Requires BCP documentation and at least

annual testing with focus on Bank Indonesia

RTGS system. Requires internal audit to conduct

an audit at least annually and provide report

to Bank Indonesia.

http://www.bi.go.id/web/e

n/Peraturan/Perbankan/se

_093007.htm

ISRAEL


SI 24001:2007 Standard Standards Institution of Israel

(SIA)

Security and Continuity Management System

standard.

http://www.bi.go.id/web/en/Peraturan/Perbankan/se_093007.htm



Page | 42

ITALY


Law Decree n. 61 – April 11th

2011

Legislation Italian government Implementation of the European Directive

2008/114/CE on the designation of European

Critical Infrastructures and their strategic

protection

http://www.gazzettaufficial

e.it/atto/serie_generale/cari

caDettaglioAtto/originario?a

tto.dataPubblicazioneGazzet

ta=2011-05-

04&atto.codiceRedazionale=

011G0101&elenco30giorni=f

alse

Art. 34 Law Decree n. 235 –

December 30th 2010

Legislation Italian government Modifications and integrations to the Art. 50-bis

Law Decree n. 82 – March 7th 2005 (Codice di

Amministrazione Digitale/Digital Administration

Code)

http://archivio.digitpa.gov.i

t/sites/default/files//CAD_

DECRETO_LEGISLATIVO_30

_dicembre_2010.pdf.

Minister Decree n. 269 –

December 1st 2010

Legislation Italian government Minimal requirements for organizational and

quality standards of security & surveillance

companies as critical providers to many sectors.

http://www.prefettura.it/FI

LES/AllegatiPag/1183/Decr

eto%20Ministro%20Interno

%201122010.pdf

http://www.gazzettaufficiale.it/atto/serie_generale/caricaDettaglioAtto/originario?atto.dataPubblicazioneGazzetta=2011-05-04&atto.codiceRedazionale=011G0101&elenco30giorni=false








http://archivio.digitpa.gov.it/sites/default/files/CAD_DECRETO_LEGISLATIVO_30_dicembre_2010.pdf




http://www.prefettura.it/FILES/AllegatiPag/1183/Decreto%20Ministro%20Interno%201122010.pdf




Page | 43

Law Decree n. 81 – April 9th

2008

Legislation Italian government Act on Health & Safety on workplace

http://www.lavoro.gov.it/Si

curezzaLavoro/MS/Normati

va/Documents/TU%2081-

08%20-

%20Ed.%20Settembre%202

015.pdf

Law Decree n. 196 – June 30th

2003

Legislation Italian government Code on Personal Data and Sensitive

Information Protection

http://www.garanteprivacy

.it/web/guest/home/docwe

b/-/docweb-

display/export/1311248

Law Decree n. 231 – June 8th

2001

Legislation Italian government Act on Administrative Responsibilities of

corporations

http://www.camera.it/parl

am/leggi/deleghe/01231dl.

htm

Bank of Italy Circular n. 285 –

December 17th 2013 (First

Part - Title IV - Chapter 5)

Regulation Bank of Italy General recommendation on Business

Continuity for banks with further specifications

for Systemically Important Financial Institutions.

https://www.bancaditalia.it

/compiti/vigilanza/normativ

a/archivio-

norme/circolari/c285/Circ_

285_14_Aggto_Testo_Integ

rale_segnalibri.pdf

ISO 22301:2012 -- Societal

Security -- Business Continuity

Management Systems --

Requirements

Standard ISO International Standard on Business Continuity



0038

http://www.lavoro.gov.it/SicurezzaLavoro/MS/Normativa/Documents/TU%2081-08%20-%20Ed.%20Settembre%202015.pdf






http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/export/1311248




http://www.camera.it/parlam/leggi/deleghe/01231dl.htm



https://www.bancaditalia.it/compiti/vigilanza/normativa/archivio-norme/circolari/c285/Circ_285_14_Aggto_Testo_Integrale_segnalibri.pdf









Page | 44




Guidance

Standard ISO International Standard on Business Continuity



0050




Guidelines for Business

Impact Analysis (BIA)

Standard ISO International Standard on Business Impact

Analysis



er=50054




Guidelines for Supply Chain

Continuity

Standard ISO International Standard on Supply Chain Continuity

Management



er=65336

UNI 10459:2015 – February

12th 2015

Standard ISO Requirements for Security Officers

http://store.uni.com/mage

nto-1.4.0.1/index.php/uni-

10459-2015.html

UNI PdR 6:2014 – February

12th 2015

Standard ISO Requirements for Resilience Management Systems

in Critical Infrastuctures

http://catalogo.uni.com/pd

r/pub/uni_pdr_6_2014.pdf










http://store.uni.com/magento-1.4.0.1/index.php/uni-10459-2015.html



http://catalogo.uni.com/pdr/pub/uni_pdr_6_2014.pdf

http://catalogo.uni.com/pdr/pub/uni_pdr_6_2014.pdf

Page | 45


2013 (Italian version)

Good Practices BCI The Good Practice Guidelines (GPG) are the

independent body of knowledge for good Business

Continuity practice worldwide







Page | 46

JAPAN


Business Continuity at Bank

of Japan

Regulation BOJ (Bank of Japan) The Bank develops and continually revises

business continuity plans for functions such as

circulation of banknotes and operation of

payment and settlement systems, in order to

carry out its responsibilities in times of disaster.

The Bank trains its staff and conducts emergency

drills on a regular basis to ensure a timely and

appropriate response.

The Bank also coordinates with relevant parties

for effective business continuity planning at

payment and settlement systems, at the market

level, and in the financial system as a whole. For

example, the Bank tests contingency procedures

with market participants and with related

administrative institutions, based on various

scenarios including large-scale earthquakes.

http://www.boj.or.jp/en/ab

out/bcp/

http://www.boj.or.jp/en/about/bcp/

http://www.boj.or.jp/en/about/bcp/

Page | 47

Manual for the Development

of Contingency Plans in

Financial Institutions: Japan

FSA

Regulation FISC (The Centre for Financial

Industry Information System

Audit considerations:

Appointment of BCP Manager

Implementation of policy & standard

Proper documentation

Regular review of plan

Corporate‐wide testing at least

annually

Planning for different scenarios

IS0 22301. ISO standards are

well-accepted and might

become incorporated into

corporate law.

Standard JIPDEC (Japanese Information

Processing Development

Corporation).

JIPDEC accredits certification bodies who certify

against ISO 22310.


2013 (Japanese)













Page | 48

KAZAKHSTAN


Government Regulation as of

30 Sept 2005. Instruction

#359.

Regulation Financial Control Agency of

Kazakhstan (local name АФН)

Requirements for the Risk and Internal Audit of

Commercial banks to have adequate

management system in place, covering all kinds

of risks. Business Continuity is mandatory to be

properly documented, approved by Board of

Directors, tested. Walkthrough scenario is to be

conducted on monthly basis and reported

respectively to the Regulatory body.

Monetary Policy Guidelines of

the Republic of Kazakhstan

2014

Regulation National Bank. Republic of

Kazakhstan

To define the requirements for the formation of

the bank's risk management systems, internal

controls to ensure the implementation of

effective control by the board of directors of the

bank for the bank's activities and its financial

condition.

http://www.nationalbank.k

z/cont/publish169022_240

39.DOC

https://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Enationalbank%2Ekz%2Fcont%2Fpublish169022_24039%2EDOC&urlhash=pcY0&_t=tracking_disc



Page | 49

KENYA


Central Bank (CBK) Prudential

Guidelines on BCM for

Institutions Licenced under

Banking Act.

Regulation The Central Bank of Kenya Guidance note TM‐G‐2 requires all licenced

institutions to implement and maintain a BCP. It

is based upon the Basel Committee’s Joint

Forum “High Level Principles.”

LATVIA

TITLE AUTHORITY SUMMARY LINK BCM provision for Payment

and Securities Settlement

Systems in Latvia.

Regulation Latvjas Banka (Bank of Latvia) It is based upon the Basel Committee’s Joint


Page | 50

MALAYSIA


BNM/RH/GL013‐3

Guidelines on BCM for

Banking Institutions – July

2008

Regulation Bank Negara Malaysia (BNM) –

Central Bank of Malaysia

Outlines and enforces minimum BCM

requirements on the institution so as to ensure

the continuity of critical business functions and

essential services within a specified timeframe

in the event of a major disruption.

Guidelines on Management

of IT Environment

BNM/RH/GL/ 013-3

Regulation Bank Negara Malaysia (BNM) –

Central Bank of Malaysia

Outlines minimum responsibilities and

requirements for planning and managing, as well

as establishing preventive and detective

measures that should be implemented by

institutions to mitigate the risks pertaining to IT

environment.

http://www.calamitypreve

ntion.com/links/FCP_copy_

Bank_Negara_Malaysia_BC

M_Guidelines_2008.pdf

MS1970:2007 Standard Malaysian Standards Business Continuity Management high‐level

framework.

Draft Malaysian Standard 2-

Business Continuity

Framework - 2006

Standard Malaysian Standards This Malaysian Standard was developed by the

Working Group on Business Continuity

Management under the authority of the

Information Technology, Telecommunication

and Multimedia Industry Standards Committee.


ntion.com/links/Draft_Mala

ysian_SIRIM_BCM_standar

d_Aug_2006.pdf

http://www.calamityprevention.com/links/FCP_copy_Bank_Negara_Malaysia_BCM_Guidelines_2008.pdf




http://www.calamityprevention.com/links/Draft_Malaysian_SIRIM_BCM_standard_Aug_2006.pdf




Page | 51

MALTA


Guidelines on Business

Continuity and Contingency

Procedures.

Regulation The Central Bank of Malta Directive No 6: Harmonised Conditions for

Participation in Target2‐Malta. Appendix IV,

2008.

.

NETHERLANDS


Additional prudential

expectations regarding

operational business

continuity and security of

systemically important

financial institutions

Regulation Belgium National Bank

DNB BCM Benchmark Standard for Instituations

belonging to the Financial Key Infrastructure of

NL.

http://www.dnb.nl/en/bina

ries/DNB%20Assessment%2

0Framework%20Business%

20Continuity%20version%2

02011_tcm47-253700.PDF

Assessment Framework for

Financial Core Infrastructure

– Business Continuity

Management: May 2011

Regulation De Nederlandsche Bank NV A BCM framework for banks regulated in The

Netherlands.

BCM principles and

requirements for the Dutch

financial sector and its

providers. September 2011.

Regulation De Nederlandsche Bank NV For all financial institutions operating in The

Netherlands.

Page | 52

NEN 7131:2010

Organizational Resilience

Standard NEN (Dutch Standards

Authority)

This standard is an exact translation of ASIS

Standard SPC.1‐2009 – Organizational Resilience.

CIP in The Netherlands – The

Dutch Approach. March 2004

Guidelines Ministry of the Interior – The

Netherlands

This is based on EU Guidelines for Critical

National Infrastructure Protection.

NEW ZEALAND


The Civil Defence &

Emergency Management Act

(2002)

Legislation Ministry of Civil Defence and

Emergency Management

The purpose of this Act is to improve and

promote the sustainable management of

hazards in a way that contributes to the social,

economic, cultural, and environmental well-

being and safety of the public and also to the

protection of property; and encourage and

enable communities to achieve acceptable levels

of risk.

http://www.civildefence.go

vt.nz/memwebsite.NSF/File

s/CDEMAct/$file/Civil%20D

efence%20Emergency%20

Management%20Act%2020

02.pdf

AS/NZS 5050:2010 Business

continuity ‐ Managing

disruption‐related risk

Standard NZ Standards ‐ with Standards

Australia

Provides a generic guide for Business continuity -

Managing disruption-related risk. It may be

applied to a wide range of activities or

operations of any public, private or community

enterprise, or group.


om/store/details.aspx?Prod

uctID=1409610

http://www.civildefence.govt.nz/memwebsite.NSF/Files/CDEMAct/$file/Civil%20Defence%20Emergency%20Management%20Act%202002.pdf









Page | 53

HB 221:2004 Business


Handbook

(Probably superseded but

requires further verification)

Good Practice NZ Standards ‐ with Standards

Australia

Sets out a definition and process for business

continuity management, and provides a

workbook that may be used by organizations to

assist in implementation.

Sets out the principles and guidance that the

Commission expects companies listed on the NZ

Stock Exchange to follow for Business Continuity

Management and establishing a Business

Continuity Plan.


om/store/Details.aspx?Pro

ductID=1378670

AS/NZS ISO 31000:2009 Standard NZ Standards ‐ with Standards

Australia

Provides a generic guide for Risk management -

Principles and guidelines. It may be applied to a

wide range of activities or operations of any

public, private or community enterprise, or

group.

New Zealand Coordinated

Incident Management

System (CIMS), 2nd Edition

Good practice Ministry of Civil Defence and


http://www.civildefence.go

vt.nz/resources/new-

zealand-coordinated-

incident-management-

system-cims-2nd-edition/

http://infostore.saiglobal.com/store/Details.aspx?ProductID=1378670



http://www.civildefence.govt.nz/resources/new-zealand-coordinated-incident-management-system-cims-2nd-edition/





Page | 54

PAKISTAN


Risk Management Guidelines

for Commercial Banks and

DFIs 5.10.1

Good Practice State Bank of Pakistan (SBP) Banks should have in place contingency and

business continuity plans to ensure their ability

to operate as going concerns and minimize

losses in the event of severe business disruption.

The State Bank requires all licenced institutions

to implement and maintain a BCP. It is based

upon the Basel Committee’s Joint Forum “High

Level Principles.”

http://www.sbp.org.pk/abo

ut/riskmgm.pdf


Continuity Planning, BSD

Circular No. 13 of 2004

Good Practice State Bank of Pakistan (SBP) Guidelines on Business Continuity Planning. They

are based upon the Basel Committee’s Joint



ntion.com/links/Pakistan_B

CP_BSD_Circular_No.13_of

_2004.pdf

PALESTINE


http://www.sbp.org.pk/about/riskmgm.pdf

http://www.sbp.org.pk/about/riskmgm.pdf

http://www.calamityprevention.com/links/Pakistan_BCP_BSD_Circular_No.13_of_2004.pdf




Page | 55

Business Continuity

Management Regulation

(instruction no. 2/2009)

Regulation Palestine Monetary Authority Regulation for Banks operating in Palestine.

This regulation aims at developing a

comprehensive management of business

continuity life cycle. It is prepared in

accordance with Basel committee

recommendations and the sound international

practices related to business continuity.

PERU


Circular No. 139 -2009G Standard Supreme Decree To establish criteria minimum for managing

business continuity. This is part of the proper

management of operational risk that the

supervised company faces.

https://intranet1.sbs.gob.pe/I

DXALL/FINANCIERO/DOC/CIR

CULAR/PDF/G-139-

2009.C.PDF

PHILIPPINES


BSP Memorandum (2004) -

MAB/NBFIs - Establishment of

Back-Up Operation Centers

and Data Recovery Sites

Regulation The Bangko Sentral ng

Pilipinas (BSP)

(Central Bank of the Republic

of the Philippines)

Enforced by audit, requires all banks to set up a

disaster recovery facility.

http://www.bsp.gov.ph/reg

ulations/regulations.asp?ty

pe=1&id=236

https://intranet1.sbs.gob.pe/IDXALL/FINANCIERO/DOC/CIRCULAR/PDF/G-139-2009.C.PDF




http://www.bsp.gov.ph/regulations/regulations.asp?type=1&id=236



Page | 56

BSP Circular Letter (2001) -

Business Continuity Plan

Regulation The Bangko Sentral ng Pilipinas

(BSP)

(Central Bank of the Republic of

the Philippines)

Requires a comprehensive and updated business

continuity plan as an integral part of the risk

management process of all financial institutions.

The overall goal of this business continuity plan

must be to (1) ensure that there will be minimal

disruption of bank operations (2) to minimize

financial losses through lost business

opportunities or asset deterioration, and (3) to

ensure a timely resumption of normal

operations.

http://www.bsp.gov.ph/reg

ulations/regulations.asp?ty

pe=1&id=669

542 Circular Regulation The Bangko Sentral ng Pilipinas

(BSP)


the Philippines)

Consumer protection for electronic banking.

Circular Regulation The Bangko Sentral ng Pilipinas

(BSP)


the Philippines)

Back up operation centers and data recovery

sites.


(BSP)


the Philippines)

Business continuity plan.


(BSP)


the Philippines)

Updated business continuity plan.




Page | 57


(BSP) (Central Bank of the

Republic of the Philippines)

Extension of submission of business continuity

plan.


(BSP) (Central Bank of the

Republic of the Philippines)

Business continuity plan.

269 Circular The Bangko Sentral ng Pilipinas

(BSP)

(Central Bank of the Republic

of the Philippines)

New guidelines concerning electronic banking

activities.

268 Circular The Bangko Sentral ng Pilipinas

(BSP)


the Philippines)

Implementing rules and regulations of Sec 55.1

(e) of the General Banking Law 2000.

Circular The Bangko Sentral ng Pilipinas

(BSP)


the Philippines)

Year 2000 business continuity/business

Resumption contingency planning.

POLAND


Business Continuity of

Payment and Security

Settlement Systems infra‐

structure

Regulation The National Bank of Poland Financial institutions to have BCP validated by

and submitted to Central Bank.

Page | 58

PORTUGAL


Recomendações sobre Gestão

da Continuidade de Negócio

Regulation Comissão Nacional de

Supervisores Financeiros

(National Commission of

Financial Supervisors)

Recommendations on Business Continuity

Management issued by CNSF, body responsible

for FS supervision, including Bank of Portugal,

Portuguese Insurance Institute and Stock

Exchange Commission.

Carta‐Circular nº

75/2010/DSB, Gestão de

Continuidade de Negócio no

sector Financeiro ‐

Recomendações Prudenciais

Regulation Banco de Portugal (Bank of

Portugal)

Prudential recommendations on BCM for

Portuguese Banks (adopted from the CNSF BCM

recommendations).

Aviso do Banco de Portugal

nº 5/2008

Regulation Banco de Portugal (Bank of

Portugal)

Risk management and Internal Control systems

and development principles for Banks including

the development of Business Continuity Plans.

Norma nº 14 ‐ Princípios para

o desenvolvimento de

sistemas Gestão de Risco e

Controlo Interno em

Empresas de Seguros

Regulation Instituto de Seguros de

Portugal (Portuguese Insurance

Institute)

Risk management and Internal Control systems.

Development principles and technical guidelines

for Insurance companies including the

development of Business Continuity Plans.

Page | 59


2013 (Portuguese)

Good Practice The BCI Global best practice based upon the 6








practice-guidelines

RUSSIA (Russian Federation)


STO BR IBBS‐1.0‐2010 Regulation Central Bank of the Russian

Federation (STO BR IBBS‐1.0‐

2006)

Standard of Bank of Russia. Information

Security of Russian Banking System Entities.

Common Regulations.

242‐P

Regulation Central Bank of the Russian

Federation

Banking internal control regulations.

http://www.cbr.ru/eng/press

/pr.aspx?file=10072014_1145

56eng2014-07-

10T11_40_24.htm




http://www.cbr.ru/eng/press/pr.aspx?file=10072014_114556eng2014-07-10T11_40_24.htm




Page | 60


2013 (Russian)










RWANDA


Regulation No. 4/2011 on

Business Continuity

Regulation National Bank of Rwanda To set the minimum requirements for

establishing sound and effective business

continuity management practices in banks in

Rwanda.




Page | 61

SINGAPORE


MAS Business Continuity

Management Guidelines (June

2003)

Regulation MAS (Monetary Authority of

Singapore)

7 Guiding principles on senior management

responsibilities for BCM; embedding BCM into

business‐as‐usual activities, incorporating sound

practices, testing BCP regularly, completely and

meaningfully; developing Recovery strategies.

http://www.mas.gov.sg/sea

rch?q=business%20continui

ty%20guidelines

SGX Member Rules

Effective 22 January 2009

Regulation SGX (Singapore Exchange

Limited))

Rules requiring SGX member firms to develop

robust “Business Continuity Management

(BCM)” arrangements.

In addition, SGX Members have to appoint

“Emergency Contact” persons and provide the

Exchange with the contact details.

The BCM requirements

are implemented under the

SGX‐ Securities Trading Rules,

Futures Trading rules, CDP Clearing Rules and

the SGX‐ Derivatives Clearing Rules.

SS 540:2008 Standard SPRING Singapore (Singapore

productivity and innovation)

Specifies requirements for setting up and

managing an effective business continuity

management system (BCMS).

SS507:2004 Standard SPRING Standard for business continuity/disaster

recovery service providers.

http://www.mas.gov.sg/search?q=business%20continuity%20guidelines



Page | 62


2013

Good Practice BCI English and Mandarin versions of global best

practice based upon the 6 professional practices

defined in the BCM Lifecycle. The GPG 2013 are

therefore intended for use by practitioners,

consultants, auditors and regulators with a

working knowledge of the rationale for BCM and

its basic principles.




MAS Consultation Paper on


(BCP) Guidelines (10 Jan-

2003)

Good Practice MAS (Monetary Authority of

Singapore)

Guidelines to encourage adoption of BCP

practices by financial institutions in Singapore.

Guidelines to help financial institutions to

prepare to be aware by establishing a

comprehensive business continuity plan.

MAS SPRING Singapore BCM

Fact Sheet 2006. Further

guidance issued 6th January

2006. Circular SRD BCM

01/2006


Singapore)

Rule 3.5.4(1) requires Clearing Members to

maintain adequate business continuity

arrangements, and document such

arrangements in a business continuity plan.




Page | 63

MAS Guidelines on

Outsourcing – Section 6.6

BCM (Oct 2004)


Singapore)

Guidelines on ensuring BC preparedness is not

compromised by outsourcing; taking steps to

evaluate and satisfy itself that interdependency

risk arising from the outsourcing arrangement

can be adequately mitigated; and assurance on

the functionality.

http://www.mas.gov.sg/sea

rch?q=business%20continui

ty%20guidelines

Internet Banking and

Technology Risk Management

Guidelines – 2nd June 2006.

Version 3.0.


Singapore)

Guidelines on internet banking and technology.




Page | 64

SOUTH AFRICA


Ministry for Provincial & Local

Government Disaster

Management Act, 2002

Legislation Department of Labour

(Republic of South Africa)

Disaster Management Act (2002) – an integrated

and coordinated disaster management policy

that focuses on preventing or reducing the risk

of disasters, mitigating the severity of disasters,

emergency preparedness, rapid and effective

response to disasters and post-disaster recovery;

the establishment of national, provincial and

municipal disaster management centres and

disaster management volunteers.

www.info.gov.za/view/Dow

nloadFileAction?id=68094

Major Hazard Installation

Regulations, 1993

Legislation Occupational Health & Safety Talks about emergency plans (“emergency

plan” means a plan in writing which, on the

basis of identified potential incidents at the

installation, together with their consequences,

describes how such incidents and their

consequences should be dealt with.

Public Finance Management

Act, 1999 – Draft Treasury

Relations

Regulation No specific mention of BC or DR but “availability

of financial information” is included.

SAMOS and CLS Business

Continuity Procedures – SA

Reserve Bank

Regulation South African Reserve Bank

National Payment System

Department

Business Continuity Procedures for SA Reserve

Bank and participants.

http://www.resbank.co.za/

RegulationAndSupervision/

NationalPaymentSystem(N

PS)/Documents/Oversight/

Oversight.pdf

http://www.info.gov.za/view/DownloadFileAction?id=68094

http://www.info.gov.za/view/DownloadFileAction?id=68094

http://www.resbank.co.za/RegulationAndSupervision/NationalPaymentSystem(NPS)/Documents/Oversight/Oversight.pdf





Page | 65

Banks Act 2007 revision Regulation South African Reserve Bank

To provide for the regulation and supervision of

the business of public companies taking deposits

from the public; and to provide for matters

connected therewith.

http://www.resbank.co.za/

RegulationAndSupervision/

BankSupervision/BankingLe

gislation/Pages/BanksAct.as

px

King I Report 1994

King II Report – 2002

Standard King Committee on Corporate

Governance

This is a standard for good corporate

governance which most companies in South

Africa make reference to in their AFS and try to

adhere to.


i/King_Committee


2013










http://www.resbank.co.za/RegulationAndSupervision/BankSupervision/BankingLegislation/Pages/BanksAct.aspx





http://en.wikipedia.org/wiki/King_Committee

http://en.wikipedia.org/wiki/King_Committee




Page | 66

SOUTH KOREA (Republic of Korea)


Act on Assistance to the

Autonomous Activities of

Enterprises for Disaster

Mitigation

Legislation National Emergency

Management Agency (NEMA)

To promote BCP and Disaster management for

local companies.

Korea BCP Regulation Financial Supervisory

Commission

Recovery of core business (bank, securities,

futures) within 3 hours.

Need for proper capacity planning.

Appropriate access control to DR system.

Regular & ad-hoc test requirement.

Supervisory Guidelines for

BCP

Regulation New Basel Accord Office,

Financial Supervisory Service

(FSS)

Governance for BCP (Board and Senior

Management, BCP Function, Independent

Review Function), Risk Analysis, Business Impact

Analysis, BCM Strategy Formulation, Business

continuity Plan (BCP) Development, Alternate

Sites, Testing.

Page | 67


2013 (Korean)










SRI LANKA



Continuity Planning

Regulation Insurance Board of Sri Lanka Financial institutions to have BCP in place.




Page | 68

SWEDEN


MSB (2009), Myndigheten för samhällsskydd och beredskaps föreskrifter om statliga myndigheters Informationssäkerhet (MSBFS 2009:10) (Swedish)

Legislative act Myndigheten för samhällsskydd och beredskap (MSB)

(Swedish Civil Contingecy Agency)

A legislative act about authorities and information security practice.

https://www.msb.se/externdata/rs/94a3d208-2ac4-48a1-84f2-208268f5767e.pdf

Finansinspektionen's Regulatory Code (FFFS) 2014:1

Regulation Finansinspektionen (FI)

-Sweden's financial supervisory authority

Finansinspektionen’s Regulations and General Guidelines regarding governance, risk management and control at credit institutions. In force from: 1 April 2014. Chapter 2 General organisational requirements, Section 9 Chapter 10 Outsourcing agreements, Section 5

http://fi.se/Regler/FIs-forfattningar/Samtliga-forfattningar/20141/



- Sweden's financial

supervisory authority

Finansinspektionen’s Regulations and General Guidelines regarding the management of operational risks. In force from: 1 June 2014. Chapter 4 reporting, section 1 Chapter 5 Management of operational risks in operations, Continuity Management Section 15-23











Page | 69



- Sweden's financial

supervisory authority

Finansinspektionen’s Regulations and General Guidelines regarding information security, IT operations and deposit systems. In force from: 1 June 2014.


*Samhällssäkerhet - Ledningssystem för kontinuitet - Krav (SS-EN ISO 22301:2012, IDT) (Swedish)

Standard

ISO/SIS ISO 22301 specifies the requirements for a management system to protect against, reduce the likelihood of, and ensure your business recovers from disruptive incidents.

http://www.sis.se/standard/std-102515

*Samhällssäkerhet - Ledningssystem för kontinuitet - Riktlinjer (ISO 22313:2012, IDT) (Swedish)

Standard ISO/SIS ISO 22313:2012 for business continuity management systems provides guidance based on good international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that enables organizations to prepare for, respond to and recover from disruptive incidents when they arise.

http://www.sis.se/sociologi-service-företagsorganisation-och-ledning-och-administration/företagsorganisation-och-företagsledning/allmänt/ss-iso-223132013












Page | 70

*Samhällssäkerhet - Vägledning för övningar (ISO 22398:2013, IDT) (english) Societal security - Guidelines for exercises (ISO 22398:2013, IDT)

Standard ISO/SIS ISO 22398:2013 recommends good practice and guidelines for an organization to plan, conduct, and improve its exercise projects which may be organized within an exercise program.

http://www.sis.se/ledningssystem/samhällssäkerhet/ss-iso-223982013

Samhällssäkerhet — Ledningssystem för kontinuitet — Vägledning till SS-ISO 22301 (2014)

Standard Swedish Standards Institute (SIS)

SS 22304, Samhällssäkerhet – Ledningssystem för kontinuitet – Vägledning, is a Swedish initiative, made to be a complement to the existing ISO standards within the area, and is focused on giving a more practical guideline on how to work with continuity management.


*Guidelines for information and communication technology readiness for business continuity ISO/IEC 27031:2011

Standard ISO ISO/IEC 27031:2011 describes the concepts and principles of information and communication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization's ICT readiness to ensure business continuity.









Page | 71

FSPOS Vägledning för Kontinuitetshantering, 2014 (Swedish)

Good Practice Finansiella Sektorns Privat- Offentliga Samverkan (FSPOS)

To give stakeholders within the financial sector

support and good practice how they can work

with development, implementation and follow

up on continuity management. Updated 2015

with a guide for outsourcing in a seperate

appendix G.

http://www.fspos.se/siteassets/fspos/rapporter/2013/fspos-vagledning-for-kontinuitetshantering.pdf http://www.fspos.se/siteassets/fspos/rapporter/2015/appendix-g----outsourcing-inom-finansiell-sektor---version-2.0---fspos-vagledning-for-kontinuitetshantering.pdf

Handbok för kontinuitetsplanering i privat-offentlig samverkan (Swedish)

Good practice Privat Offentlig Samverkan – Södra Roslagen

The network POS-SR that is a collaboration between public and private sector in Södra Roslagen have developed a guideline for continuity planning.

http://docplayer.se/3198171-Natverket-pos-sr-handbok-for-kontinuitetsplanering-i-privat-offentlig-samverkan.html

Vägledning för samhällsviktig verksamhet: att identifiera samhällsviktig verksamhet och kritiska beroenden samt bedöma acceptabel avbrottstid (2014) (Swedish)

Guideline Myndigheten för samhällsskydd och beredskap (MSB) (Swedish Civil Contingecy Agency)

MSB has developed this guideline to strengthen the work with societal security and to support the work with risk and vulnerability analyses.

https://www.msb.se/RibData/Filer/pdf/27285.pdf

http://www.fspos.se/siteassets/fspos/rapporter/2013/fspos-vagledning-for-kontinuitetshantering.pdf










Page | 72

Systematiskt arbete med skydd av samhällsviktig verksamhet (2015) (Swedish)

Good practice Myndigheten för samhällsskydd och beredskap (MSB) (Swedish Civil Contingecy Agency)

This supporting document aims to concretize what may be part of a systematic approach with the protection of critical infrastructure and risk management, continuity management, and manage events. The document is aimed at private and public actors that own or operate critical infrastructure. The content is based on national and international standards and guidelines in the areas of their respective areas.


Kontinuitetsplanering – en introduktion (2006) (Swedish)

Good practice Krisberedskapsmyndigheten (KBM)

An introduction to continuity planning from 2006.

https://www.msb.se/Upload/Produkter_tjanster/Publikationer/KBM/Kontinuitetsplanering%20-%20en%20introduktion.pdf

Information Technology Infrastructure Library

Framework OGC Information Technology Infrastructure Library (ITIL) is a framework of best practices to manage IT operations and services defined in mid 1980s by Government of Commerce, UK. Popular in Sweden as a framework.

http://www.itil-officialsite.com/







http://www.manageengine.com/products/service-desk/itil.html

Page | 73

*Informationsteknik - Säkerhetstekniker - Ledningssystem för informationssäkerhet - Krav (ISO/IEC 27001:2013 IDT)

Standard ISO ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation.

http://www.sis.se/terminologi-och-dokumentation/informationsvetenskap-publicering/dokument-f%C3%B6r-administration-handel-och-industri/ss-iso-iec-270012014

Guidelines for information and communications technology disaster recovery services. (ISO/IEC 24762:2008)

Guideline ISO/IEC ISO/IEC 24762:2008 provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management, applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.

http://www.sis.se/sok/?q=24762






Page | 74

SWITZERLAND


FINMA Recommendations for

BCM: Nov 2007

Regulation Swiss Financial Market

Supervisory Authority

Overall BCM is not mandated but two

elements (BIA and BCM Strategy) are binding as

minimum standards under supervisory law.

SFBC 06/6 Regulation Swiss Federal Banking

Commission (SFBC)

Supervision of Internal Control.

SFBC 06/3 Regulation Swiss Federal Banking

Commission (SFBC)

Capital Adequacy for Operational Risk.

SBA Self Regulation Regulation Swiss Bankers Association Self- regulatory guidelines for BCM, supported

by SFBC. These are based upon the Basel Joint

Forum “High‐Level Principles for Business

Continuity.”

EBK Empfehlung zum BCM Good Practice EBK German language guidance for Swiss banks.

EBK Rundschreiben 99/02 Good Practice EBK German language guidance for Swiss banks.

THAILAND


Page | 75

118/2550 – Policy on BCM

and BCP for Financial

Institutions.

Regulation Bank of Thailand This Policy Statement provides general

framework for Business Continuity Management

and Business Continuity Plan for financial

institutions in Thailand. The policy requires

board-level involvement, identification and

recovery plans for “Critical Business Functions,”

writing plans and testing them at least once

every 12 months.

http://www2.bot.or.th/fipc

s/Documents/FPG/2550/En

gPDF/25500011.pdf

UAE


AE/HSC 7000: 2011 Standard UAE National Crisis and


Authority (NCEMA).

A Business Continuity Management standard

based upon international best practice and

local additional input.

http://www2.bot.or.th/fipcs/Documents/FPG/2550/EngPDF/25500011.pdf



Page | 76

Business Continuity Standard

and Guide AE/HSE/NCEMA

7000:2012

Standard National Emergency Crisis and

Disasters Management

Authority (NCEMA)

Developed to help entities systematically build

their business continuity capability during and

after an emergency, disaster or crisis. Initiatives

are aimed at ensuring ongoing performance of

essential functions and services in both the

public and private sectors, for the purpose of

enhancing the UAE’s national stability.

http://www.ncema.gov.ae/

content/documents/BCM%

20English%20NCEMA_29_8

_2013.pdf


2013 (Arabic)










UK


BS 12999:2015 Standard British Standards Institution

(BSI)

Damage management - Code of practice for the

organization and management of the

stabilization, mitigation and restoration of

properties, contents, facilities and assets

following incident damage.

http://shop.bsigroup.com/

ProductDetail/?pid=000000

000030296352

http://www.ncema.gov.ae/content/documents/BCM%20English%20NCEMA_29_8_2013.pdf







http://shop.bsigroup.com/ProductDetail/?pid=000000000030296352



Page | 77


(BSI)

Vacant property protection services - Code of

practice



000030311655


(BSI)

Security management - Strategic and operational

guidelines



000030285866


(BSI)

Guidance for Organizational Resilience



000030258792


(BSI)

Crisis management - Guidance and good practice



000030274343

PD 25666:2010 Standard British Standards Institution

(BSI)

Business continuity management. Guidance on

exercising and testing for continuity and

contingency programmes



000030203702

ISO 11064-4:2013 Standard British Standards Institution

(BSI)

Ergonomic design of control centres



er=54419



















Page | 78

Civil Contingencies Act (2004

& 2005)

Legislation UK Government The CCA defines various categories of

responders to manage incidents and mandates

BCM for all category 1 providers. It provides the

legal framework for the establishment of local

resilience forums and delegates responsibility of

BCM awareness to local authorities.

http://www.legislation.gov.

uk/ukpga/2004/36/content

s

http://www.legislation.gov.uk/ukpga/2004/36/contents



Page | 79

Financial Conduct Authority

Handbook – Prudential

Regulation Authority Handbook

Regulation Prudential Regulation Authority

(PRA)


(FCA)

A firm must take reasonable steps to ensure

continuity and regularity in the performance of

its regulated activities. To this end the firm

must employ appropriate, proportionate

systems, resources and procedures. It must

establish, implement and maintain an adequate

business continuity policy aimed at ensuring, in

the case of an interruption to its systems and

procedures, that any losses are limited, the

preservation of essential data and functions,

and the maintenance of its regulated activities,

or, where that is not possible, the timely

recovery (Systems and Controls – SYSC 4.16 and

4.17).

A firm must disclose to their regulators any

material disruption to regulated activities in an

open and cooperative way. (Principle 11 – The

Principles for Businesses)

Further rules and guidance on topics relating to

BCM can be found within the FCA handbook

within SYSC 3, 4, 8, 13 and 18, and within the

specialist sourcebooks.

http://fshandbook.info/FS/h

tml/FCA

BS EN ISO 22301:2014 –

Societal security – Business


systems – Requirements

Standard British Standards Institution

(BSI)

This is the British Standards published version of

ISO 22301. This document has superseded

BS25999‐2 since 2012.



000030292502

http://fshandbook.info/FS/html/FCA

http://fshandbook.info/FS/html/FCA




Page | 80

BS 31100:2009 – Risk

Management Standard


(BSI)

Principles and Guidance on implementing Risk

Management.



000030228064

BS 11000-1:2010 –

Collaborative Working


(BSI)

Provides a framework for collaborative business

relationships, to help companies develop and

manage their interactions with other

organizations for maximum benefit to all. Using

an eight stage approach, the framework is

designed to enable organizations of any size and

sector to apply best practice principles to its

own ways of working, to get the very most out

of its business relationships. Work is underway

to upgrade this to an ISO standard (ISO 11000).



000030212011

PAS 2015:2010 – NHS

Resilience Framework for

Health Services Resilience


(BSI)

Publicly available specification for operational

resilience guidance in the NHS.







Page | 81

PAS 7000:2014 – Supply Chain

Risk Management – Supplier

Prequalification

Standard British Standards Institution Developed in response to clients around the

world requesting a universal standard that

would combine supplier profiles, capabilities and

performance in order to make informed

decisions about whether or not to engage with a

potential supply chain partner. This standard

helps address these issues and specifies a

universal package of supplier information to be

shared with supply chain partners. This covers,

key supplier information, capabilities and

performance which will help buyers trace back

and secure their supply chains, mitigate risk and

brand reputation and for suppliers to promote

their products.



000030289498


2013 (English – UK)

Good Practice The Business Continuity

Institute

Global best practice based upon the 6






.










Page | 82

CPNI Advice and Guidance Good Practice The Centre for the Protection

of National Infrastructure

(CPNI)

CPNI is a government agency providing

information, personnel and physical security

advice to the entities which make up the UK's

national infrastructure, helping to reduce its

vulnerability to terrorism and other threats.

It can call on resources from other government

departments and agencies, including MI5 and

the Communications Electronics Security Group.

Risk Management Standard,

AIRMIC, ALARM, IRM: 2002

Good Practice AIRMIC (Association of

Insurance and Risk Managers)

ALARM (National Forum for

risk management in the public

sector)

IRM (Institute of Risk

Management)

Establishes guidelines for Risk Management

including Risk Assessment, Risk Reporting and

Risk Treatment.

FSA BCM Staff Guide 2007 Good Practice Financial Services Authority

(FSA). The FSA was abolished in

2013 and replaced by two

authorities: Prudential

Regulation Authority (PRA) and


(FCA)

Advice for FSA staff involved with BCM

internally or within regulated firms. The

guidance remains applicable across the two new

organizations.

Page | 83

Business Continuity

Management Practice Guide

Good Practice Financial Services Authority

(FSA). The FSA was abolished in

2013 and replaced by two

authorities: Prudential

Regulation Authority (PRA) and


(FCA)

The Business Continuity Management Practice

Guide is not general guidance from the Tripartite

Authorities, nor is it guidance on FSA rules.

Rather, it aims to help regulated firms in their

business continuity planning by identifying and

sharing examples of business continuity practice

observed in firms that participated in the

benchmarking exercise.

http://www.bankofengland

.co.uk/financialstability/fsc/

Documents/bcmanagement

guide.pdf

Business Information

Publications (BIP)

Good Practice BSI Publications The route‐map, auditing and exercising books

have all been revised following the publication

of ISO22301.

http://www.bankofengland.co.uk/financialstability/fsc/Documents/bcmanagementguide.pdf




Page | 84

USA


P.L. 110‐53 Title IX Legislation Legislates voluntary implementation of business

continuity plans and accreditation and

certification of those plans by authorized third

party organizations.

Consumer Credit Protection

Act (CCPA) of 1992 Section

2001 Title IX – Electronic

Funds Transfer

Legislation Provides a basic framework establishing the

rights, liabilities and responsibilities of

participants in electronic fund transfer systems.

Electronic Fund Transfer Act

(EFTA)

Legislation OCC (Office of the Comptroller

of the Currency)

Establishes the basic responsibilities, rights &

liabilities of consumers and financial institutions

that use electronic fund transfer services. BCP to

meet “reasonable standard of care.”

http://www.fdic.gov/regula

tions/laws/rules/6500-

1350.html

Fair Credit Reporting Act Legislation FTC (Federal Trade

Commission)

Ensures credit information is accurate and up to

date.

http://www.ftc.gov/os/stat

utes/fcra.htm

FDICIA – Federal Deposit

Insurance Corporation

Improvement Act of 1991

Legislation FDIC (Federal Deposit

Insurance Company_

Requires all FDIC insured depository

institutions with total assets of $500 million or

more to certify that there is effective

functioning of their internal controls systems.

http://www.fdic.gov/regula

tions/laws/rules/8000-

2400.html

http://www.fdic.gov/regulations/laws/rules/6500-1350.html



http://www.ftc.gov/os/statutes/fcra.htm

http://www.ftc.gov/os/statutes/fcra.htm




Page | 85

Financial Institutions Reform,

Recovery and Enforcement

Act (FIRREA) of 1989; (P.L.

101‐73 1989 HR 1278)

Legislation FIRREA Policy allows regulators/examiners to impose

civil penalties for violations or non-compliance

with regulations, laws, temporary agency orders

or any breach of a written agreement between

an agency and the institution.

FISMA: Federal Information

Security management Act of

2002

Legislation FTC (Federal Trade

Commission)

Details requirements to assess risk, determine

levels of security necessary to protect such

information, periodically test and evaluate

information security controls and techniques

etc.

http://csrc.nist.gov/drivers/

documents/FISMA-final.pdf

Foreign Corrupt Practices Act

1977 (P.L 95‐213)

Legislation Policy states that Directors and Officers can be

held liable for “failure to enact standards of

care” should they fail to document their

assessment for determining not to develop a

contingency plan.

Gramm‐Leach‐Bliley Act of

1999, section 501 (b) (PL

106‐102 1999 S 900)

Legislation Public Law Guidelines in this section address standards for

developing and implementing administrative,

technical and physical safeguards to protect the

security, confidentiality and integrity of

customer information.

http://banking.senate.gov/

conf/confrpt.htm

http://csrc.nist.gov/drivers/documents/FISMA-final.pdf

http://csrc.nist.gov/drivers/documents/FISMA-final.pdf

http://banking.senate.gov/conf/confrpt.htm


Page | 86

HIPAA (Health Insurance

Portability and Accountability

Act) Final Security Rule #7.

Contingency Plan (164.308

(a) (7) (i)

Legislation GAO (Government

Accountability Office)

Proposed contingency plan in effect with data

backup plan, disaster recovery plan, emergency

mode operation plan, testing and revision

procedures, and applications and data criticality

analysis.

http://www.nchica.org/HIP

AAResources/Security/rule.

htm

Privacy Act of 1974

(SUSC552a)

Legislation Requires management to safeguard and to keep

the information accurate and current to

protect the individual.

http://www.justice.gov/opc

l/privstat.htm

Sarbanes‐Oxley Act of 2002

(PL 107‐204 2002 HR 3763) –

Section 404

Legislation PCAOB (Public Company

Accounting Oversight Board)

Auditors are increasing scrutiny of all areas of

internal control, including security and business

continuity controls.

Potential for data loss (ability to identify and

rebuild lost transactions and source documents).

http://news.findlaw.com/h

docs/docs/gwbush/sarbane

soxley072302.pdf

Sarbanes‐Oxley Act of 2002

Section 409

Legislation PCAOB (Public Company

Accounting Oversight Board)

Issuers must disclose information on material

changes in financial condition on a result basis.

http://www.nchica.org/HIPAAResources/Security/rule.htm



http://www.justice.gov/opcl/privstat.htm

http://www.justice.gov/opcl/privstat.htm

http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf



Page | 87

California SB 1386 Security of

Non‐encrypted customer

information (July 2003)

Legislation State of California Bill requires all agencies, persons or businesses

that conduct business in California that owns or

licenses computerized data containing personal

information to notify the owner or licensee of

the information of any breach of security of the

data.

http://www.legalarchiver.o

rg/sb1386.htm

Computer Fraud and Abuse

Act

Legislation FTC (Federal Trade

Commission)

Makes it a federal offence to produce, buy,

sell or transfer a credit card or other access

devices that are counterfeit, forged, lost or

stolen.

http://www.panix.com/~ec

k/computer-fraud-act.html

IRS Procedure 91‐59

(superseded IRS Procedure

86‐19)

Legislation IRS (Internal Revenue Service) Legal requirements for computer records

containing tax information. Requires off site

protection and documentation of computer

records maintaining tax information.

http://www.uiowa.edu/~fu

srmp/irsruling98-25.html

USA Patriot Act of 2001: (P.L.

107-56 2001 HR 3162)

Legislation Department of Homeland

Security (DHS)

Applies to all Financial Institutions in the U.S.

and any individual responsible for an act of

terror defined by the Act. Business continuity

implications include records protection and

availability. Most frequently enforced for

compliance purposes.

http://www.epic.org/privac

y/terrorism/hr3162.html

http://www.legalarchiver.org/sb1386.htm

http://www.legalarchiver.org/sb1386.htm

http://www.panix.com/~eck/computer-fraud-act.html

http://www.panix.com/~eck/computer-fraud-act.html

http://www.uiowa.edu/~fusrmp/irsruling98-25.html

http://www.uiowa.edu/~fusrmp/irsruling98-25.html

http://www.epic.org/privacy/terrorism/hr3162.html

http://www.epic.org/privacy/terrorism/hr3162.html

Page | 88

Securities and Exchange Act,

Sections 32(a) and (b)

Legislation Securities and Exchange

Commission (SEC)

Policy addresses criminal liability of Directors

and officers for failure to protect computerized

information/document. Process used to assess

risks of information loss/exercise duty of care.

2013 ACH Rules Book Regulation ACH (Federal Reserve Bank’s

Automated Clearing-House

association).

Requires 6 year file retention on all ACH

transactions. An ACH transaction is a batch‐

processed, value-dated electronic funds transfer

between originating and receiving financial

institution.

http://www.achrulesonline.

org/

http://www.achrulesonline.org/

http://www.achrulesonline.org/

Page | 89

Interagency Paper for

Strengthening the Resilience

of US Financial System (May

2003: Implementation in

2007)

Regulation FRB (Federal Reserve Bank)

OCC (Office of the Comptroller

of the Currency)

SEC (Securities and Exchange

Commission)

During discussions about the lessons learned

from 9/11, industry participants and others

agreed that three business continuity objectives

have special importance for all financial firms

and the US financial system as a whole.

Rapid recovery and timely resumption of

critical operations following a wide‐scale

disruption

Rapid recovery and timely resumption of

critical operations following the loss or

inaccessibility of staff in at least one major

operating location

A high level of confidence, through ongoing

use or robust testing, that critical internal

and external continuity arrangements are

effective and compatible

http://www.sec.gov/news/

studies/34-47638.htm

NASD Rule 108 (Sept 9, 02)

and SR‐NASD 2002‐112

(March 10 2003)

(Release No. 34‐48503: File

NO SR‐NASD‐2002‐108)

Regulation NASD (North American

Securities Dealers Association)

/ SEC

Each member must create and maintain a

written business continuity plan identifying

procedures relating to an emergency or

significant business disruption.

Must update this plan in the event of any

material change to the members operations,

structure.

http://www.sec.gov/rules/s

ro/34-48503.htm

http://www.sec.gov/news/studies/34-47638.htm

http://www.sec.gov/news/studies/34-47638.htm

http://www.sec.gov/rules/sro/34-48503.htm

http://www.sec.gov/rules/sro/34-48503.htm

Page | 90

6 CFR Part 29: Procedures for

Handling Critical

Infrastructure Information

(Aug 2009)

Regulation Code of Federal Regulations

(CFR)

Continuity of operations for critical

infrastructure. Disclosure of critical information

to the government.

http://www.ecfr.gov/cgi-

bin/text-

idx?c=ecfr&SID=bbbd14179

df7951f63694b36dec73dba

&rgn=div5&view=text&nod

e=6:1.0.1.1.11&idno=6

Federal Acquisition

Regulation: Electronic Funds

Transfer Final Rule

Regulation Securities and Exchange

Commission (SEC)

Addresses the collection of EFT information

through the contract process for vendors

providing goods and services to the Federal

Government.

http://banking.senate.gov/

conf/confrpt.htm

FFIEC FIL 67‐97/82‐96 Regulation FFIEC (Federal Financial

Institutions Examination

Council)

Board of Directors is responsible for ensuring

that a comprehensive business resumption and

contingency plan has been implemented, to

encompass distributed computing and external

service bureau.

FFIEC Policy SP‐5 Regulation FFIEC Policy mandating corporate-wide contingency

planning, including the development of recovery

alternatives for distributed processing and

service bureau information processing.

FRB (Federal Reserve Banks)

SR 96‐22

Regulation Board of Governors of the

Federal Reserve System

Reviews and enforces the FFIEC’s Interagency

Supervisory Statement on Risk Management of

Client/Server Systems SP‐12.

http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=bbbd14179df7951f63694b36dec73dba&rgn=div5&view=text&node=6:1.0.1.1.11&idno=6








Page | 91

FRB (Federal Reserve Banks)

SR 03-5

Regulation Board of Governors of the

Federal Reserve System

Amended Interagency Guidance on the Internal

Audit Function and its Outsourcing (SR 03-5)

(Supersede: Outsourcing of Information and

Transaction Processing Cross Reference: SR

letter 97-35).

http://www.federalreserve.

gov/boarddocs/SRLETTERS/

2003/SR0305.HTM

FERC COOP 2007: FERC RM01‐

12‐00

Regulation Federal Energy Regulatory

Commission (FERC)

Provides a regulatory framework for the energy

sector and sets performance requirements.

GAO Supplier Requirements Regulation GAO (Government

Accountability Office)

Requirements for federal agencies to include the

requirement for contingency plans in contracts

with private sector organizations providing data

processing services. Will apply to all

organizations providing suppliers or services to

GAO or Federal Agencies.

http://www.gao.gov/specia

l.pubs/bcpguide.pdf

http://archive.gao.gov/f010

2/115703.pdf

http://archive.gao.gov/d49t

13/149920.pdf

http://www.gao.gov/produ

cts/EMD-78-59

http://archive.gao.gov/d22t

8/142596.pdf

http://www.federalreserve.gov/boarddocs/SRLETTERS/2003/SR0305.HTM



http://www.gao.gov/special.pubs/bcpguide.pdf

http://www.gao.gov/special.pubs/bcpguide.pdf

http://archive.gao.gov/f0102/115703.pdf

http://archive.gao.gov/f0102/115703.pdf

http://archive.gao.gov/d49t13/149920.pdf


http://www.gao.gov/products/EMD-78-59

http://www.gao.gov/products/EMD-78-59



Page | 92

NASD Rule 3500: Emergency

Preparedness Part 3510:

Business Continuity Plans



Requires business continuity plan addressing:

Alterative communications between

customers, firm and employees

Business constituent, bank and counter

party impact

Regulatory reporting

Mission critical systems

Operational and financial impacts

http://www.nasd.com/web

/groups/rules_regs/docum

ents/notice_to_members/n

asdw_003095.pdf

NASD Rule 3500: Emergency

Preparedness Parts

3510/3520: Emergency

Contact information



Rule 3520 requires NASD members to provide

NASD with emergency contact information and

to update information upon the occurrence of a

material change. The Rule requires members to

designate two emergency contact persons that

NASD may contact in the emergency.

http://www.nasd.com/web

/groups/rules_regs/docum

ents/notice_to_members/n

asdw_003095.pdf

NFA Compliance Rule 2‐38:

Business Continuity and

Disaster Recovery Plan

Regulation CFTC (Commodity Futures

Trading Commission)

Requires all National Futures Association

members to establish and maintain a written

business continuity and disaster recovery plan

that outlines procedures to be followed in the

event of an emergency or significant disruption.

http://www.nfa.futures.org

/nfamanual/NFAManual.as

px?RuleID=9052&Section=9

http://www.nasd.com/web/groups/rules_regs/documents/notice_to_members/nasdw_003095.pdf








http://www.nfa.futures.org/nfamanual/NFAManual.aspx?RuleID=9052&Section=9



Page | 93

FINRA Rule 4370 - emergency

preparedness rule

Regulation FINRA (Financial Industry

Regulatory Authority)

Rule 4370—FINRA's emergency preparedness

rule—requires firms to create and maintain

BCPs appropriate to the scale and scope of their

businesses, and to provide FINRA with

emergency contact information. This page

provides general information related to BCPs for

securities firms.

OSHA‐ Occupational Safety

and Health Administration

Regulation OSHA (Occupational Safety &

Health Administration)

Disaster preparedness – OSHA requires

that all businesses with more than 10

employees have a written Emergency

Contingency Plan (ECP). For businesses

with 10 or less, a written plan is not

mandated but recommended.

http://www.osha.gov/SLTC

/emergencypreparedness/i

ndex.html

Telecommunications Act of

1996

Regulation FCC - Federal Communications

Commission

The FCC’s Network Reliability and

Interoperability Council provide best practices

for business continuity and disaster recovery in

the telecommunications industry.

(www.nric.org).

http://www.drj.com/article

-

archives/communications/t

he-impact-of-the-

telecommunications-act-

on-business-continuity-

plans.html

http://www.osha.gov/SLTC/emergencypreparedness/index.html



http://www.drj.com/article-archives/communications/the-impact-of-the-telecommunications-act-on-business-continuity-plans.html







Page | 94

NFPA 1600 : Standard on

Disaster/Emergency

Management and Business

Continuity Programs

Standard National Fire Protection

Association (NFPA)

This standard shall establish a common set of

criteria for all hazards disaster/emergency

management and business continuity programs,

hereinafter referred to as "the program." It also

provides the fundamental criteria to develop,

implement, assess, and maintain the program

for prevention, mitigation, preparedness,

response, continuity and recovery, for which this

document shall be applied to public, not-for-

profit, nongovernmental organizations and to

private entities.

http://www.nfpa.org/codes

-and-standards/document-

information-

pages?mode=code&code=1

600

OCC 2001‐47. Third Party

Relationships (Nov 1 2001)

Standard OCC (Office of the Comptroller

of the Currency)

This bulletin provides guidance to national banks

on managing the risks that may arise from their

business relationship with third parties. A third

party’s inability to deliver products and services,

whether arising from fraud, error, inadequate

capacity, or technology failure, exposes the bank

to transaction risk.

http://www.occ.treas.gov/f

tp/bulletin/2001-47.txt

http://www.nfpa.org/codes-and-standards/document-information-pages?mode=code&code=1600





http://www.occ.treas.gov/ftp/bulletin/2001-47.txt


Page | 95

Private Sector Preparedness

(PS‐Prep)

Standard Department of Homeland

Security (DHS)

PS‐Prep is a partnership between DHS and the

private sector that enables private entities to

receive emergency preparedness certification

from a DHS accreditation system created in

coordination with the private sector.

The standards—developed by the National Fire

Protection Association, the British Standards

Institution and ASIS International—were

published for public comment in the Federal

Register in Oct 2009. The adoption of the final

standards was published in a Federal Register

notice following a series of regional public

meetings and the incorporation of public

comments. The standards currently included

are: NFPA1600, BS25999 and ASIS SPC.1‐2009.

DHS will continue to accept comments on PS‐

Prep, the three adopted standards, and/or

proposals to adopt any other similar standard

that satisfies the target criteria of the

December 2008 Federal Register notice.

ASIS SPC.1‐2009 Standard ASIS Specification and guidance on addressing

organizational resilience issues. This is accepted

under PS-Prep regulation.

Page | 96

ANSI/ASIS SPC.4 : Maturity

model of organizational

resilience

Standard ANSI / ASIS This Standard provides guidance for the use of a

maturity model for the phased implementation

of the ANSI/ASIS SPC.1-2009 organizational

resilience standard in six phases, ranging from

an unplanned approach, to managing events, to

going beyond the requirements of the

ANSI/ASIS SPC.1-2009 Standard and creating a

holistic environment for resilience

management.

ASIS American National

Standard (2009)

Standard ASIS The ASIS Organizational Resilience American

National Standard provides organizations with a

comprehensive management framework to

anticipate, prevent if possible, and prepare for

and respond to a disruptive incident. It provides

generic auditable criteria to establish, check,

maintain, and improve a management system to

enhance prevention, preparedness (readiness),

mitigation, response, continuity, and recovery

from an emergency, crisis, or disaster. The

standard addresses the core elements and

criteria of the DHS Title IX preparedness

program.

https://www.asisonline.org

/Standards-

Guidelines/Standards/publi

shed/Pages/Organizational-

Resilience-Security-

Preparedness-and-

Continuity-Management-

Systems-Requirements-

with-Guidance-for-

Use.aspx?cart=a8ee9a0a0b

4d440e91c5ba199afa0e87

https://www.asisonline.org/Standards-Guidelines/Standards/published/Pages/Organizational-Resilience-Security-Preparedness-and-Continuity-Management-Systems-Requirements-with-Guidance-for-Use.aspx?cart=a8ee9a0a0b4d440e91c5ba199afa0e87











Page | 97

ANSI/ARMA 5‐2003

(2010 revised version

available)

Standard American National Standards

Institute

This standard sets the requirement for

establishment of a Vital Records Program. It

includes clarification of what a Vital Records

Program encompasses and the requirements for

identifying and protecting vital records,

assessing and analyzing their vulnerability, and

determining the impact of their loss on the

organization.

http://webstore.ansi.org/R

ecordDetail.aspx?sku=ANSI

%2fARMA+5-2010

CTIA Telecommunication

Industry BCM Standard and

certification

Standard CTIA (Cellular

Telecommunications and

Internet Association)

Plans to offer standard business continuity

guidance to the communications industry.

http://www.tiaonline.org/s

tandards/

NERC CIP 002‐009 2006 Standard North America Electric

Reliability Corporation

Sets reliability standards for the electricity

industry.

NFPA 111: Standard on

Stored Electrical Energy

Emergency and Standby

Power Systems


Association (NFPA)

Readiness of emergency power is a key

consideration in safeguarding building occupants

in the event of a disruption of the normal utility

supply. NFPA 111: Standard on Stored Electrical

Energy Emergency and Standby Power Systems

covers performance requirements for stored

electric energy systems providing an alternate

source of electrical power in buildings and

facilities during an interruption of the normal

power source.


ecordDetail.aspx?sku=NFPA

+111-2010

http://webstore.ansi.org/RecordDetail.aspx?sku=ANSI%2fARMA+5-2010



http://www.tiaonline.org/standards/

http://www.tiaonline.org/standards/

http://webstore.ansi.org/RecordDetail.aspx?sku=NFPA+111-2010



Page | 98

NFPA 232 : Standard on

Protection of Records


Association (NFPA)

Standards for protection of business records,

archives and record centres.

NFPA1561 (Emergency

Services Incident

Management System)


Association (NFPA)

NFPA 1561: Emergency Services Incident

Management System defines and describes the

essential elements of an incident management

system that promotes coordination among

responding agencies.


ecordDetail.aspx?sku=NFPA

+1561-2008

PCI Data Security Standard

(PCI DSS)

Standard PCI Security Standards Council

(incl. VISA, AMEX, Diners,

Discover, JCB)

The PCI DSS states that disaster recovery sites

are not in-scope unless they process, store or

transmit cardholder data. However, in the same

breath, the PCI DSS states that once a disaster

recovery site is activated, the site is in-scope and

is required to comply with the PCI DSS

requirements just as the production data center

complied. This should be applicable to any

manual workarounds or alternative strategies

when BCP/DR plan has been invoked.

https://www.pcisecuritysta

ndards.org/security_standa

rds/documents.php?agree

ments=pcidss&association=

pcidss

Generally Accepted Practices

for BCM (GAP

Good Practice Disaster Recovery Journal (DRJ) Detailed process level document that provides

guidance, recommendations and checklists for

developing business continuity programs.




https://www.pcisecuritystandards.org/security_standards/documents.php?agreements=pcidss&association=pcidss





Page | 99

ASIS GDL BC 10 – 2004 Good Practice ASIS International Tool to allow organizations to consider the

factors and steps necessary to prepare for a

crisis (disaster or emergency) so that it can

manage and survive the crisis and take

appropriate actions to ensure its continued

viability.

FDA21 CFR Part II: 1999 Good Practice Food & Drug Agency Guidance for the pharmaceutical and health

sector on keeping of electronic records and

electronic signatures.

FEMA 141: Disaster Planning

Guide for Business and

Industry

Good Practice FEMA (Federal Emergency

Management Agency)

Designed to provide guidance for business and

industry officials to respond and recover from

disasters.

http://www.fema.gov/busi

ness/guide/index.shtm

FEMA Emergency

Management Guide for

Business and Industry


Management Agency)

A step by step approach to emergency planning,

response and recovery for companies of all sizes.

http://www.fema.gov/business/guide/index.shtm

http://www.fema.gov/business/guide/index.shtm

Page | 100

Federal Continuity Directives

(FCDs)


Management Agency)

Federal Continuity was developed as a

repository of information to guide governmental

continuity planning efforts and to share

information with private sector stakeholders

about the importance of planning. The site

provides an overarching framework for US

Federal Agencies to develop and deploy

actionable continuity strategies.

http://www.fema.gov/abou

t/org/ncp/coop/planning.sh

tm

FFIEC BCP Handbook:


(May 2003) “IT Examination

Handbook”

Good Practice FFIEC Emphasises that business continuity planning is

about maintaining, resuming and recovering the

whole business.


/it-booklets/business-

continuity-

planning/introduction.aspx


/ITBooklets/FFIEC_ITBookle

t_BusinessContinuityPlanni

ng.pdf

FFIEC FIL‐81‐2005

Information Technology Risk

Management Program 9IT‐

RMP) for conducting IT

examinations

Good Practice FDIC (Federal Deposit

Insurance Corporation)

For conducting IT examinations of FDIC

supervised financial institutions and cover

practices for Risk Assessment, Operations

Security & Risk Management, Audit and

independent review.

http://www.fema.gov/about/org/ncp/coop/planning.shtm



http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/introduction.aspx




http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_BusinessContinuityPlanning.pdf




Page | 101

Homeland Security Strategy

for Critical Infrastructure

Protection in Financial

Services Sector (May 2004)

Good Practice FSSCC (Financial Services

Sector Coordinating Council

for Critical Infrastructure

Protection)

Ensuring the resiliency of the nation to

minimize the damage and expedite the recovery

from attacks that do occur.

http://digital.library.unt.ed

u/govdocs/crs/permalink/

meta-crs-7844:1

http://www.sifma.org/servi

ces/business_continuity/pd

f/NationalStrategy.pdf

Business continuity planning

committee best practice

guidelines (April 2011)

Good Practice SIA (Securities Industry

Association)

Each firm should have in place a BC program.

NIST SP 800‐34 Contingency

Planning Guide

Good Practice NIST (National Institute of

Standards and Technology)

Details the fundamental planning principles

necessary for developing an effective

contingency capability.

Contingency planning guidance includes

preliminary planning, business impact analysis,

alternative site selection and recovery strategies.

http://csrc.nist.gov/publica

tions/nistpubs/800-34-

rev1/sp800-34-rev1_errata-

Nov11-2010.pdf

http://digital.library.unt.edu/govdocs/crs/permalink/meta-crs-7844:1



http://www.sifma.org/services/business_continuity/pdf/NationalStrategy.pdf



http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf




Page | 102

NIST SP 800‐53 Good Practice National Institute for

Information Technology

Systems (NIST)

Guidelines for selecting and specifying security

controls for information systems supporting the

executive agencies of the federal government to

meet the requirements of FIPS 200, Minimum

Security Requirements for Federal Information

and Information Systems. The guidelines apply

to all components of an information system that

process, store, or transmit federal information.

The guidelines have been developed to help

achieve more secure information systems and

effective risk arrangement within the federal

Government. The standard also includes

contingency planning policy and procedures.

http://csrc.nist.gov/publica

tions/drafts/800-53-

rev4/sp800-53-rev4-ipd.pdf

OCC 2003‐18 : FFIEC (March

2003)

Good Practice OCC (Office of the Comptroller

of the Currency

Information Technology Examination Handbook

– Business Continuity Planning and supervision

of Technology Service Providers Booklets.


tp/bulletin/2003-18.doc

OCC 99‐9: Infrastructure

Threats from Cyber Terrorists

(March 5 1999)

Good Practice OCC (Office of the Comptroller

of the Currency

Identifies and raises awareness of vulnerabilities

and threats of cyber terrorism to the financial

services industry, including ensuring that these

threats are taken into account when preparing

and testing a disaster recovery/business

contingency plan.


tp/bulletin/99-9.txt

http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf



http://www.occ.treas.gov/ftp/bulletin/2003-18.doc

http://www.occ.treas.gov/ftp/bulletin/2003-18.doc



Page | 103

OCC Comptroller's Handbooks Good Practice OCC (Office of the Comptroller

of the Currency

OCC Comptroller's Handbook provides guidance

for asset management, safety and soundness,

consumer compliance, and securities

compliance. Together with this handbook,

following separated publications has been issued

by OCC:

Business Continuity Planning: Bank and

Thrift Agencies Issue Advisory on

Influenza Pandemic Preparedness

03/15/2006

Business Continuity Planning: Benefits of

Regional Coalitions for Disaster Recovery

09/16/2008

Business Continuity Planning: Lessons

Learned from Hurricane Katrina

06/13/200

http://www.occ.treas.gov/

handbook/chndbk.htm

Post 9‐11 Crisis

Communications, Best

Practices for Crisis Planning

Prevention and Continuous

Improvement (June 2002)

Good Practice Business Roundtable (The

Southwestern Area Commerce

& Industry Association of

Connecticut)

This document is a toolkit to enable

companies to develop a crisis communications

plan that includes crisis preparation,

prevention a n d continuous improvement

strategies.

http://www.occ.treas.gov/handbook/chndbk.htm

http://www.occ.treas.gov/handbook/chndbk.htm

Page | 104

Supervision of Technology

Service Providers Booklets

(May 2003)

Good Practice FFIEC Business Continuity Planning, Supervision of

Technology Service Provider Guidance, released

by Federal Financial Regulators.

The Business Continuity Planning booklet

provides guidance and examination procedures to

assist examiners in evaluating financial

institutions and service providers’ risk

management processes to ensure the availability

of critical financial services.

FFIEC BC Handbook 2008 Good Practice FFIEC Guidance to financial institutions regarding the

planning and implementation of BC plans and

processes.

Page | 105

Outsourcing Technology

Booklet

Good Practice FFIEC The institution should understand all relevant

service provider business continuity

requirements, incorporate those requirements

within its own business continuity plan, and

ensure the service provider tests its plan

annually. Management should require the

service provider to report all test plan results

and to notify the institution after any business

continuity plan modifications. The institution

should integrate the provider's business

continuity plan into its own plan, communicate

functions to the appropriate personnel, and

maintain and periodically review the combined

plan.


/it-booklets/outsourcing-

technology-

services/related-

topics/business-continuity-

planning.aspx

GTAG 7 - Global Technology

Audit Guide

Good Practice Institute of Internal Auditors

(IIA)

IPPF Practice Guide for Internal Auditors.

GTAG 10 – Business Continuity

Management

Good Practice Institute of Internal Auditors

(IIA)

IPPF Practice Guide for Internal Auditors.

http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services/related-topics/business-continuity-planning.aspx






Page | 106

SIFMA BCP Best Practices

Documents - The benefits of

Public and Private

Partnerships (September

2011)

Good Practice ISIA (International Securities

Industry Association)

The SIFMA BCP Best Practices Committee

completed work on a survey regarding Regional

Coalitions. Based upon the survey results, the

following areas of additional interests were

identified and will be addressed by this

document:

1. Increase awareness of public/private

partnerships

2. Define how to establish and maintain

public/private partnership relationships

and outline the ‘best practices’ for

participation

3. Define how to engage regional

partnerships for test planning and

execution

http://www.sifma.org/uplo

adedfiles/services/bcp/sifm

a-bcm-best-prax-regional-

coalitions.pdf

http://www.sifma.org/uploadedfiles/services/bcp/sifma-bcm-best-prax-regional-coalitions.pdf




Page | 107

SIFMA Business Continuity

Resources

Good Practice SIFMA (Securities Industry and

Financial Markets Association)

The following guidelines are published by SIFMA:

BCP Best Practices Document. Regional

Coalitions: The Benefits of Public and

Private Partnerships- September 2011

Executive Summary: Telecommuting

Analysis of Regional Winter Storms 2010

& 2011 - September 2011

Vendor Business Continuity

Questionnaire 2010

Business Continuity Practices Guidelines-

April 2011

Telecommuting Sound Practice

Guidelines - March 2009

Testing Methodologies For Validating

Business Continuity Plans - January 2008

BCP Critical Infrastructure Guide -

February 2007

http://www.sifma.org/servi

ces/bcp/resources/

Joint Commission

Accreditation Manual for

Hospitals (1997)

Good Practice Joint Commission on

Accreditation of Healthcare

Organizations (JCAHO)

Guidelines for information management

established by the Joint Commission Standard

Label IM.1.20 – The (organization) plans for the

continuity of its information management.

http://www.jointcommissio

n.org/standards_informatio

n/joint_commission_requir

ements.aspx

http://www.sifma.org/services/bcp/resources/

http://www.sifma.org/services/bcp/resources/

http://www.jointcommission.org/standards_information/joint_commission_requirements.aspx




Page | 108

Additional Resources

There are other 3rd party sources of information that can also be referenced and relate to similar topics. The BCI is grateful for all individuals or organizations that have contributed

to this reference document; other useful sources can be found below.

Additional Resources: http://www.planning.sungard.com/KnowledgeNet/ReferenceDesk/regulations.asp

http://www.strohlsystems.com/Education/_files/Regulations/RegulationsStandards.pdf

http://www.lootok.com/Resource_Directory/financial-business-continuity-standards-regulations.php

http://www.slideshare.net/TPComps/regulations-and-standards-for-dr

http://www.gartner.com/id=483265

http://www.geminare.com/pdf/U.S._Regulatory_Compliance_Overview.pdf

http://www.informit.com/articles/article.aspx?p=777896

http://www.avalution.com/Resources/Standards/Pages/InternationalStandardsandRegulatoryRequirements.aspx

https://www.gov.uk/resilience-in-society-infrastructure-communities-and-businesses

http://www.planning.sungard.com/KnowledgeNet/ReferenceDesk/regulations.asp

http://www.strohlsystems.com/Education/_files/Regulations/RegulationsStandards.pdf

Page | 109